You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@metron.apache.org by Geeks Girls <ge...@gmail.com> on 2020/05/15 19:11:57 UTC

Profiling

Hi,

I have added asa firewall,syslog in metron. I want to know whether is it
possible to create alert based on aggregation. I am experimenting with
profiler. I need to check if logs are received from same ip within 10 min.
I need to check if certain type of event based on same ip occured within 3
mins , then it has to be marked as malicious.

For example, if a user logs in from different devices within a minute it
has to marked as alert. Is it possible in Metron profiler to check if same
user attempts to login with different source IP based on user id field
within a minute. But if the same user logins in at different hours ,then it
is a normal.

I want to know is it possible to create alert based on aggregating logs
within a certain time period.


Regards,
Jai