Refer to attached:
need to clarify on the red-text items in the excel :
what are the usual industry-practice settings like
whether "occurs 10 times/minute" : is this the usual
setting or hackers usually will attempt 5 times/0.5min?
From our network IPS logs, have seen variations in
attempts (by blacklisted source IP addrs) in making
3-10 attemps over various time horizons.
Appreciate any comments/inputs on the red-text
items in the attached use cases which we're going
to adopt to finetune our SIEM/SOC