Find anomalous events within the neighborhood of an event, where the neighbor events are the events those are closest to the source event time.
Anomaly => Very different value (much bigger/smaller value) than the neighbor's values
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Score Anomalies operator in the search field and select the operator from the Results to open the operator form.
- In the Input Table drop-down, enter or select the name of the table containing the data to run this operator on.
- In the Column drop-down, enter or select the name of the column on which the anomaly scores will be calculated.
- Optional. In the Grouping Fields drop-down, enter or select the name of the columns to group events by.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
LQL Command
scoreAnomalies(table, scorefield)
Input:
table
: Input table
scorefield
: Name of a field to apply an operator
Output
Input table with an additional field (lhub_score
) that contains the score values. Higher value means a more anomalous event.
Example
Input
table = github_logs
id | bytes |
---|---|
1 | 1986 |
2 | 1652 |
3 | 1762 |
4 | 93 |
5 | 1697 |
LQL command
scoreAnomalies(table, "bytes")
Output
id | bytes | lhub_score |
---|---|---|
1 | 1986 | 0.0 |
2 | 1652 | 0.0 |
3 | 1762 | 0.0 |
4 | 93 | 10.0 |
5 | 1697 | 0.0 |
All numbers except in the 4th row (93) are within the range of one standard deviation of the "bytes" values.