Looking for some help with an EPL rule.
The goal is to detect when a single client requests more than 275 unique A records for hosts in my AD domain within 5 minutes. The custom meta key dns_qtype is populated by an app rule that acts on logs produced by our name servers.
@RSAAlert(oneInSeconds = 0)
dns_qtype.toLowerCase() IN ('dns a') AND
matchLike(alias_host, "%domain.local") AND
ip_src IS NOT NULL
This expression matches all of the events (DNS A record queries for domain.local). What I don't know is how to achieve the threshold and grouping by source IP with only unique alias_host values (ie what combination of views is required). Note that alias_host is an array as well - I'm not sure if that changes the behavior of std:unique.
I've tried this a few different ways and none of them have worked - would appreciate some assistance.