So, your formula includes min_score as base, and sets "threshold" at 2/3 between min and max. In this case, if your data has no range between min and max, this formula will give you the same number ...
See more...
So, your formula includes min_score as base, and sets "threshold" at 2/3 between min and max. In this case, if your data has no range between min and max, this formula will give you the same number as min==max. Only people with intimate knowledge about that data and this particular use case can determine what the best alternative formula could be. Say, for example, if you decide that instead of min_score + 2/3 * range for all, you want to use the existing formula when range is, say greater than 1/10 of min_score, but use 4/5 * max_score if range is too narrow, you could just express this in SPL. index=ss group="Threat Intelligence"
``` here I'm grouping the domain names in to single group by there naming convention```
| eval domain_group=case(
like(domain_name, "%cisco%"), "cisco",
like(domain_name, "%wipro%"), "wipro",
like(domain_name, "%IBM%"), "IBM",
true(), "other"
)
| stats count as hits, min(attacker_score) as min_score, max(attacker_score) as max_score by domain_group, attackerip
| sort -hits
| eval range = max_score - min_score
| eval threshold =round(if(range > min_score / 10), min_score + (2 * (range/3)), max_score * 4 / 5), 0)
| eventstats max(hits) as max_hits by domain_group ``` eventstats instead of streamstats ```
| where hits >= threshold ``` threshold is used in place of max_hits ```
| table domain_group, min_score, max_score, attackerip, hits, threshold
| dedup domain_group This said, I notice the streamstats and dedup in your code, and the criterion hits >= max_hits. Maybe you have a different use case in mind? threshold is not used at all. Why calculate it? The condition hits >= max combined with streamstats (as opposed to eventstats as I illustrated above) will result in alerts for every IP that has larger hits than all previous ones (instead of the largest one, or ones that exceed calculated threshold) - is this what you wanted? your table retains attackerip, but dedup domain_group will lose all except the highest in the group. Maybe your use case is simpler, that you want every domain group to alert, but alert only on the IP address with largest hits? This use case is still very unclear.