I know the question about how to set Reconnaissance Protection thresholds has been asked dozens of times. The answer is always "it depends on your environment and situation". I understand that there can't be a one-size fits all best practice. It seems as though a trial-and-error approach is how you should dial in the thresholds and intervals.
But are there any unique factors that should be taken into consideration that could give you a general idea rather than taking shots in the dark? Like how many different hosts and services are accessible from that zone? Average connections per second? Frequency of any types of events in the threat logs?
A while back I went down this same path, it is a very loose control and does require a lot of attention because something like a shopping season, COVID stimulus checks, or other events may cause spikes in traffic that you dont want to drop.
Here are some places to look for evaluating your CPS over time:
As @shawnhafen mentioned and you've pointed out in your question, the problem with giving any sort of general criteria on how to calculate these thresholds is that they will always be different.
Outside of continually monitoring these values and reviewing logs over a period of time to generate a rough idea of what you should start at, it's always going to be little bit of trial and error involved here to make them effective.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!