We've started to use NetFlow in NPM, which has been very helpful in identifying DDoS attacks on our network. I'm interested if it's possible to set up an alert that would monitor for specific parameters that could indicate a DDoS, such as a single IP address receiving traffic from more than three different countries within a five minute timespan, or possibly a large number of sources hitting a specific endpoint. If these criteria are met, an alert would then trigger, which would include a report showing the sources sending data to the destination.
Thanks as always for the guidance.