Rule or Data Monitor
We want to monitor events that are coming from a specific asset on our network. If the event count for that asset increases an abnormal amount, we want to be alerted. What is the most efficient way to develop this... Data Monitor or Rule? Thank You!
You would actually use both.
First you would set up a Moving Average Data Monitor to watch the event flow from the particular asset. You would tell it how often to sample and it will maintain a moving average of how many events are in the flow. You also configure it with a threshold percent. If the new sample is + or - the threshold percent above or below the moving average then the data monitor will fire correlated event. You can then use a rule or two to fire any time the event rate moves too far above or below the average event rate for that asset.
You can also use this logic to monitor numerous different assets at once as the datamonitor will watch them all at the same time and you do not need to set up 10 data monitors to watch 10 assets, just the one.