Find anomalous events within the neighborhood of an event, where the neighbor events are the events those are closest to the source event time.

Anomaly => Very different value (much bigger/smaller value) than the neighbor's values

Operator Usage in Easy Mode

Click + on the parent node.
Enter the Score Anomalies operator in the search field and select the operator from the Results to open the operator form.
In the Input Table drop-down, enter or select the name of the table containing the data to run this operator on.
In the Column drop-down, enter or select the name of the column on which the anomaly scores will be calculated.
Optional. In the Grouping Fields drop-down, enter or select the name of the columns to group events by.
Click Run to view the result.
Click Save to add the operator to the playbook.
Click Cancel to discard the operator form.

Usage Details

LQL Command

scoreAnomalies(table, scorefield)

Input:
table: Input table
scorefield: Name of a field to apply an operator

Output
Input table with an additional field (lhub_score) that contains the score values. Higher value means a more anomalous event.

Input
table = github_logs

LQL command

scoreAnomalies(table, "bytes")

Output

All numbers except in the 4th row (93) are within the range of one standard deviation of the "bytes" values.