My current and potential customers want to have behavioral analysis. Unfortunately this mechanism is absent out of the box. Maybe somebody has EPL rules and can share it? I have few suggestion about behavioral analysis rule:
1. If user (IP) has X connection (success or deny - should set in the rule) prior hour (day or minutes) and now user (IP) has deviation (up or down/both - should set in the rule) Y percens - alert.
2. A user (IP) has normal activity pattern (for example, amount of connections per day is 100 connections to HTTP protocol, 200 connections to HTTPS protocol and etc.). Next day a user (IP) has deviation from normal activity pattern more or less/both (should set in the rule) 30% one or more protocol (should set in the rule) - alert.
3. A user (IP) has normal activity pattern (for example list of countries where he had connection last week). If user (IP) has connection to new country - alert.
Time slots should be floating. In the rule 3 can have a case when we collect list of all country were a user (IP) had connections.
If possible need set time slot of bussiness hours and had 2 version of rules for bussines and not bussines hours.