At my internship i'm researching the possibilities of AlienVault's alarming. The business asked if it is possible to achieve the following for firewall monitoring:
"We want to be alerted if the incoming deny grows 10% in 7 days."
I've searched trough the website, but i can't find a concrete answer. I think that we need to create trending of the deny, and alarm if there is an anomaly in this trending, but i can't find the possibilities for this.