IPS Traffic Increase

You can use this for any type of baselining alerts around a predefined standard deviation. I used the IDS data model but the same logic can be applied to any random index.

|`tstats` count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.ids_type="network" by IDS_Attacks.dest,_time span=10m | stats count by IDS_Attacks.dest,_time| eval threshold=relative_time(now(),"-10m") | stats max(eval(if(_time>=threshold, count null()))) as latest | stats avg(eval(if(_time<threshold, count null()))) as avg | stats stdev(eval(if(_time<threshold, count null()))) as stdev by IDS_Attacks.dest | eval outlier=if((latest>(avg+(3*stdev))), "yes", "no") | search outlier="yes"

You should be able to do something similar on a single sourcetype as such

sourcetype=foo bin _time span=10m | stats count by dest,_time| eval threshold=relative_time(now(),"-10m") | stats max(eval(if(_time>=threshold, count null()))) as latest | stats avg(eval(if(_time<threshold, count null()))) as avg | stats stdev(eval(if(_time<threshold, count null()))) as stdev by dest | eval outlier=if((latest>(avg+(3*stdev))), "yes", "no") | search outlier="yes"
Share This:

Leave A Comment?