Maybe there’s a way to do it but I don´t know.
I am monitoring a recursive DNS infrastructure using Graylog. Basicly I am parsing the query logs, and I am interested on detecting error conditions that involve both an abnormal number of failed queries and an abnormal number of clients receiving errors.
I am using the aggregation count plugin from Airbus Cyber and I can trigger an alerts based on a high number of affected clients or a high number of different failed queries.
But I need and AND condition. Otherwise the alarm will fire whenever a customer generates a report from a firewall access log (triggering countless failed reverse DNS lookups) or whenever a single IP address scans lots of customers.