I'm looking for a way to traffic the average ssh traffic between two IP addresses (source IP and destination IP) and hopefully find when a host is doing more SSH traffic than usual and alert on it. I've been looking through some of the standard deviation paperwork and I think I found a search I wanted to do but the standard deviation I get is zero; which doesn't make sense.
Here is what I've been playing around with.
sourcetype="cisco:asa" dest_port=22
| stats count by src_ip, dest_ip
| stats mean(count) as mean, stdev(count) AS stdev by src_ip
| eval stdv_percentage=(mean/stdev)*100
↧