scoreAnomalies
- Jonas Gonzalez
Owned by Jonas Gonzalez
Find anomalous events within the neighborhood of an event, where the neighbor events are the events those are closest to the source event time.
Anomaly => Very different value (much bigger/smaller value) than the neighbor's values
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Score Anomalies operator in the search field and select the operator from the Results to open the operator form.
- In the Input Table drop-down, enter or select the name of the table containing the data to run this operator on.
- In the Column drop-down, enter or select the name of the column on which the anomaly scores will be calculated.
- Optional. In the Grouping Fields drop-down, enter or select the name of the columns to group events by.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
LQL Command
scoreAnomalies(table, scorefield)
Input:
table: Input table
scorefield: Name of a field to apply an operator
Output
Input table with an additional field (lhub_score) that contains the score values. Higher value means a more anomalous event.
Example
Input
table = github_logs
| id | bytes |
|---|---|
| 1 | 1986 |
| 2 | 1652 |
| 3 | 1762 |
| 4 | 93 |
| 5 | 1697 |
LQL command
scoreAnomalies(table, "bytes")
Output
| id | bytes | lhub_score |
|---|---|---|
| 1 | 1986 | 0.0 |
| 2 | 1652 | 0.0 |
| 3 | 1762 | 0.0 |
| 4 | 93 | 10.0 |
| 5 | 1697 | 0.0 |
All numbers except in the 4th row (93) are within the range of one standard deviation of the "bytes" values.