Hi everyone,

I am having trouble creating a custom alert for a host sending a large amount (over 1GB) of traffic externally. I can create a log query showing top assets with outbound traffic but could not find a way to create a trigger that would filter on aggregate functions. Something similar to HAVING clause in SQL.
Any ideas?
Thanks!

Hi @dejan_bojic,

AFAIK it is not possible yet as you can’t then check all entries of the groupby.
There is already a feature request for that. You should create a support case so you can be attached to the ticket.

Sneak Peak: There is an upcoming early access for a new “Anomalous Data Transfer” feature.
That could be interesting for you. Please contact your CSM for that.

Great, thanks for the help and the info Philipp!