Hi I am pretty new to LEM and trying to figure out if I can leverage the LEM to detect when users download an anomalous amount of data from our SAN. In general, I guess I'm thinking that if I can identify what that network traffic looks like, I can create an alert for traffic over a certain threshold from the SAN to any single source IP. However, I'm not sure if that is even the right line of thinking and, if it is, I'm not sure that gets me what I need anyway. I think that there would need to be a correlation with AD to identify the user properly. Again, I'm new to this and just unsure of how to approach it. Any advice at all would be appreciated.
↧