I'm looking for a way to create a splunk query (and then into a real time alert) when the below conditions are met.
Excessive firewall denies (say anything more than 50) followed by a firewall accept all from the same source IP within a 10 minute period.
Any ideas? I've tried multiple times to craft a query using transactions, but nothing I came up with worked.
↧