Translating Qradar rules to SPL and stocked with setting thresholds
300 events are seen with the same Source IP and different Destination IP in 1 hour
no idea which parameters to use ? any hints ?
Your search that gets the events you want, for the hour you want, with fields source_ip and dest_ip
| stats dc(dest_ip) as dest_count by source_ip
| where dest_count >=300
Parameters to use to do what? What is your goal?
The goal is to detect WannaCry infection, and need to set above treshold.