scoreByLeastFrequency
- Anthony Shevlin (Deactivated)
Score a given table based on how frequently a unique group of the specified columns occurs. Higher scores are given to less frequent occurrences. The output table adds an additional lhub_score column that contains the score.
Operator usage in easy mode
Click + on the parent node.
Enter the Score by Least Frequency operator in the search field and select the operator from the Results to open the operator form.
In the Input Table drop-down, enter or select the name of the table containing the data to run this operator on.
Optional. In the Columns drop-down, enter or select the columns to group events by.
Click Run to view the result.
Click Save to add the operator to the playbook.
Click Cancel to discard the operator form.
Usage details
LQL Command
scoreByLeastFrequency(inputTable, columns)InputinputTable: Table containing the data to run this operator on.
`columns': Comma-separated list of columns to group events by.
Output
The input table with an additional lhub_score column that contains the score [0.0 - 10.0]. Less frequently occurring groups get higher scores.
Example
Input
table
id | destIP | destPort |
|---|---|---|
1 | 192.68.0.1 | 3250 |
2 | 192.68.0.1 | 3250 |
3 | 192.68.0.1 | 3250 |
4 | 53.32.124.8 | 7458 |
5 | 192.68.0.1 | 3250 |
6 | 192.68.0.1 | 3250 |
LQL command
scoreByLeastFrequency(table, "destIP", "destPort")Output
id | destIP | destPort | lhub_score |
|---|---|---|---|
1 | 192.68.0.1 | 3250 | 0.0 |
2 | 192.68.0.1 | 3250 | 0.0 |
3 | 192.68.0.1 | 3250 | 0.0 |
4 | 53.32.124.8 | 7458 | 10.0 |
5 | 192.68.0.1 | 3250 | 0.0 |
6 | 192.68.0.1 | 3250 | 0.0 |