Source ( Topic of sathishdsgithub, i have the same problem or question )
I would like to know the possibilities of creating SIEM use-cases with Gray log. I have specified some of the use-case names as shown below. We have created some alerts using the Aggregator plugin. However, there are some limitations using the aggregator plugin, we are able to create a query based on the source parameter.
Suppose if I want to create a use-case for “multiple sources trying to scan the single destination host on random ports” which is not possible with Aggregator plugin. Please let us know is there any plugins or options available for creating different SIEM use cases
TCP ACK Scan
TCP ACK PUSH Scan
TCP SYN SCAN
TCP Connect Scan (Plain Vanilla)
Large DNS response