ee-outliers
ee-outliers copied to clipboard
Open-source framework to detect outliers in Elasticsearch events
Add new detection method: similarity between strings. Could be interesting in specific use cases to identify terms that are entirely different from others, in cases where we would expect a...
Example: `2020-03-02 16:51:43,427 [sigma-gen][ERROR] '%' must be followed by '%' or '(', found: '%COMSPEC%*"}}]}}, {"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*/c*"}}]}}, {"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*echo*"}}]}},...
Reproduce: - Add whitelist item in global whitelist section (literals for example) - Remove use case from the configuration file - Save configuration file so that historical whitelist is processed...
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-composite-aggregation.html
`coeff_of_variation` was thinking for `within_aggregator`. This parameter with `across_aggregators` need to be test and maybe adapted
``` POST http://esnode1:9200/logstash-eagleeye-*/_update_by_query?refresh=true&wait_for_completion=true [status:409 request:0.511s] Traceback (most recent call last): File "outliers.py", line 391, in run_outliers() File "outliers.py", line 56, in run_outliers run_daemon_mode() File "outliers.py", line 179, in run_daemon_mode es.remove_all_outliers()...