Hi, I have added asa firewall,syslog in metron. I want to know whether is it possible to create alert based on aggregation. I am experimenting with profiler. I need to check if logs are received from same ip within 10 min. I need to check if certain type of event based on same ip occured within 3 mins , then it has to be marked as malicious.
For example, if a user logs in from different devices within a minute it has to marked as alert. Is it possible in Metron profiler to check if same user attempts to login with different source IP based on user id field within a minute. But if the same user logins in at different hours ,then it is a normal. I want to know is it possible to create alert based on aggregating logs within a certain time period. Regards, Jai
