Unusual number of firewall rules modified on any given day in the last 7 days,
where unusual is defined as daily_count > avg(daily_count) + 2 * stddev(daily_count),
and daily_count is the number of change actions on a given day.
Aggregate averages and standard deviations are computed for each day looking back at the preceding daily counts.
Default lookback window is the last 90 days.
Category: Cloud Provisioning Activity
Use Cases: Detect
Data Sources: Audit Logs - Admin Activity
| BigQuery | Chronicle |
|---|---|
| SQL | Contribute rule |
No event generation steps provided. Contribute emulation test to this use case.
No log samples provided. Contribute log samples to this use case.