I know the question about how to set Reconnaissance Protection thresholds has been asked dozens of times. The answer is always "it depends on your environment and situation". I understand that there can't be a one-size fits all best practice. It seems as though a trial-and-error approach is how you should dial in the thresholds and intervals. But are there any unique factors that should be taken into consideration that could give you a general idea rather than taking shots in the dark? Like how many different hosts and services are accessible from that zone? Average connections per second? Frequency of any types of events in the threat logs?
... View more