Hi,
I was looking at logic behind the correlation rules that are inbuilt in ES App. But it was not so clear like for example for bruteforcing rule. I would like to know the criteria for triggering this rule.
By editng the rule I am able to see it runs every five min but on what basis this rule matches the events to trigger as bruteforcing.(example :Number of login failure more than 10 times in a minute. etc.)
Similarly I would like to know the criteria for the rules present in the ES App.
Thanks,
↧