Multiple External Alarms

Description

Triggered when the number of external alarms from external tools (IDS, IPS, DLP) is higher for a specific user when compared to the enterprise average.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Security Monitoring, Insider Threat

Category

Endpoint Compromise, Network Attack

Alert Volume

Medium (?)

SPL Difficulty

None

Journey

Stage 5

Data Sources

DLP
Host-based IDS
IDS or IPS