Automated Search Alert Filtering
Example One: Moving from 1000 to 250 alerts
In the example below, we assume that a brute-force attack is underway and is triggering 1000 alerts over 2 days.
You can set up searches on all the fraud behavioral analytics alerted events and filter out the brute-force type of alerts with specific conditions. This creates a “reduction by aggregation” of alerts of type brute-force.
For example, you may want to search for alerts generated in the past 2 days, at all risk levels, and the alert contains a failed login activity.
The search will return all alerts meeting the criteria. Often, a brute-force attack is launched repeated against multiple accounts. Most of the alerts will share common attributes, such as IP addresses, user agent string and network provider. They also occur in temporal proximity.