TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml #11359
Assignees
Labels
Comments
|
Hi @mbell85 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How can I determine what my baseline threshold should be when utilizing the query 'Time series anomaly for data size transferred to public internet'?
I'm confused about a few things, which is making me unsure.
Am I correct in understanding that the query is looking at data transfers to the public Internet per port?
Am I also correct in seeing the results as being in total bytes out per port versus the baseline, despite any resulting hits stating 'TotalBytesSentinMB'? Comparing to Firewall traffic logs, it appears impossible for the total bytes out to be measuring in MB, otherwise I'd be seeing a lot higher amount of traffic on the firewall.
And does changing the amount of days of history to look up affect the baseline in any manner?
Anything else I should know about "right-sizing" the query for my tenant?
Much thanks for any help/input!
The text was updated successfully, but these errors were encountered: