Microsoft
MicrosoftGreat question Anders-DL. This solution provides two new analytic rules, both rules have a threshold that can be adjusted to suit your specific environment.
The first rule identifies public IPs that generate over 5% of all traffic during a DDoS attack. However, each environment is unique, and sometimes a valid single IP address can generate more than 5% of traffic during an attack. In such cases, it is important to understand the type of traffic coming to your public IP and increase the threshold accordingly, for example, to 10% or higher.
The second rule is designed to identify high packet-per-second (PPS) traffic during an active DDoS attack, with a default threshold of 10,000 PPS. As with the first rule, this threshold can also be modified to best suit your environment and provide maximum security.
Overall, these rules can help you detect and respond to post DDoS attacks effectively, but it is important to adjust the thresholds according to your specific environment to avoid false positives or missed detections.