| Table of Contents | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Score a given table based on how frequently a unique group of the specified columns occurs. Higher scores are given to less frequent occurrences. The output table adds an additional lhub_score column that contains the score.
...
Output
The input table with an additional lhub_score column that contains the score [0.0 - 10.0]. Less frequently occurring groups get higher scores.
Example
Input
table
id | destIP | destPort |
|---|---|---|
1 | 192.68.0.1 | 3250 |
2 | 192.68.0.1 | 3250 |
3 | 192.68.0.1 | 3250 |
4 | 53.32.124.8 | 7458 |
5 | 192.68.0.1 | 3250 |
6 | 192.68.0.1 | 3250 |
LQL command
| Code Block |
|---|
scoreByLeastFrequency(table, "destIP", "destPort") |
Output
id | destIP | destPort | lhub_score |
|---|---|---|---|
1 | 192.68.0.1 | 3250 | 0.0 |
2 | 192.68.0.1 | 3250 | 0.0 |
3 | 192.68.0.1 | 3250 | 0.0 |
4 | 53.32.124.8 | 7458 | 10.0 |
5 | 192.68.0.1 | 3250 | 0.0 |
6 | 192.68.0.1 | 3250 | 0.0 |