I would like to detect when an event source is sending much more logs (in general) than usual.
For example, a firewall is sending 200 events per minute and for a reason X or Y we receive 2000 events per minute during a brief period, this is not normal so i would like to trigger an alert.
What I want is an alert is triggerd when the average activity increases. So don't want to monitor a specific message ID but the average amount of logs received instead.
Have some tips, existing rules or explanation to help me?
Thank you in advance for your help.