ee-outliers

ee-outliers copied to clipboard

Add new detection method: similarity between strings. Could be interesting in specific use cases to identify terms that are entirely different from others, in cases where we would expect a...

daanraman

Example: `2020-03-02 16:51:43,427 [sigma-gen][ERROR] '%' must be followed by '%' or '(', found: '%COMSPEC%*"}}]}}, {"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*/c*"}}]}}, {"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*echo*"}}]}},...

daanraman

Reproduce: - Add whitelist item in global whitelist section (literals for example) - Remove use case from the configuration file - Save configuration file so that historical whitelist is processed...

daanraman

https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-composite-aggregation.html

olivierbuez

michielmeersmans

daanraman

daanraman

Look into ways of throttling running of ee-outliers (less CPU's, ...)

1

daanraman

Adapt across_aggregators for coeff_of_variation in Terms Analyzer

1

`coeff_of_variation` was thinking for `within_aggregator`. This parameter with `across_aggregators` need to be test and maybe adapted

detobel36

Handle ES conflict errors causing outliers to stop/restart

1

``` POST http://esnode1:9200/logstash-eagleeye-*/_update_by_query?refresh=true&wait_for_completion=true [status:409 request:0.511s] Traceback (most recent call last): File "outliers.py", line 391, in run_outliers() File "outliers.py", line 56, in run_outliers run_daemon_mode() File "outliers.py", line 179, in run_daemon_mode es.remove_all_outliers()...

jvanwilder