...
Anomaly => Very different value (much bigger/smaller value) than the neighbor's values
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Score Anomalies operator in the search field and select the operator from the Results to open the operator form.
- In the Input Table drop-down, enter or select the name of the table containing the data to run this operator on.
- In the Column drop-down, enter or select the name of the column on which the anomaly scores will be calculated.
- Optional. In the Grouping Fields drop-down, enter or select the name of the columns to group events by.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
LQL Command
| Code Block |
|---|
scoreAnomalies(table, scorefield) |
...
Output
Input table with an additional field (lhub_score) that contains the score values. Higher value means a more anomalous event.
Example
Input
table = github_logs
| id | bytes |
|---|---|
| 1 | 1986 |
| 2 | 1652 |
| 3 | 1762 |
| 4 | 93 |
| 5 | 1697 |
...