Anomaly Detection in Firewall/Router/Switch Logs

[Syed]

Hello Folks,

I'm new to the product. I am wondering if there is a way to write deviation based rule. So for instance, system creates baseline of network traffic based on logs from edge network devices and detect 20% increase deviation from the baseline.

I didn't find anything in rule search for baseline, deviation and anomaly except host based anomaly.

Have you guys implemented such use cases ?

Thanks,

Syed

[S.Hasan Rizvi]

Anybody? 

Do we even have such detection feature in the product?

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/_zN7pWuodMQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/83b25017-e5df-4d86-b834-e752b9d60991%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Santiago Bassett]

Hi,

we typically rely on Elastic Stack for anomalies detection. 

Think of Wazuh as the monitoring tool and IDS providing alerts data (based mostly on a regex engine, integration with TI sources for enrichment, and composite rules for slightly more complex behaviors detection), and think of Elastic as your indexer with analytics and machine learning capabilities (included with x-pack).

Here is a good example of what I understood you are looking for:

https://www.elastic.co/blog/implementing-a-statistical-anomaly-detector-part-3

Best regards,

Santiago.

On Mon, Mar 26, 2018 at 4:47 PM, S.Hasan Rizvi <hass...@gmail.com> wrote:

Anybody? 

Do we even have such detection feature in the product?

On Sun, Mar 25, 2018, 12:19 AM Syed, <Hass...@gmail.com> wrote:

Hello Folks,

I'm new to the product. I am wondering if there is a way to write deviation based rule. So for instance, system creates baseline of network traffic based on logs from edge network devices and detect 20% increase deviation from the baseline.

I didn't find anything in rule search for baseline, deviation and anomaly except host based anomaly.

Have you guys implemented such use cases ?

Thanks,

Syed

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/_zN7pWuodMQ/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/83b25017-e5df-4d86-b834-e752b9d60991%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CABC6dBSV3RXU2ZNQcAn8Lk%3Dx4KxSENxzPmuDcAzFLnhLos%3DHbA%40mail.gmail.com.