logdata-anomaly-miner icon indicating copy to clipboard operation
logdata-anomaly-miner copied to clipboard

Published 20 hours ago verified publisher icon ait-aecid

Set severity of detectors

Open landauermax opened this issue 3 years ago • 4 comments

It should be possible to set the severity of detectors and add this information to the output if set. E.g., a parameter severity = 0.7 can be added to a value detector monitoring critical states, while severity = 0.1 can be set for less important detectors that are more likely to produce false positives. Please make sure that this parameter does not interfere with the confidence that is available for some detectors in the output.

landauermax avatar Jul 19 '21 06:07 landauermax

What should this parameter do, outside of giving information to the reader? If there is no use case in calculations, then a string value could be better fitted. For example severity = "critical" or severity = "info" for those two examples.

ernstleierzopf avatar Jul 19 '21 06:07 ernstleierzopf

They are mainly for displaying the anomalies in a SIEM (for example, a lot of low-severity alerts can be less critical than a few high-severity alerts) and numeric correlation (for example, a "total severity" can be calculated by aggregating the severities of all alerts occurring in a certain time window). I think INFO is generally not an appropriate level for anomalies, since every anomaly should be at least a warning. Anyway, it is up to the SIEM to categorize the anomalies in high/medium/low or whatever categories based on the numeric value.

landauermax avatar Jul 19 '21 07:07 landauermax

This issue should be solved before the unittests are rewritten and extended.

ernstleierzopf avatar Jul 20 '21 07:07 ernstleierzopf

I would like to have tags for events that we generate. So that we can add different tags to the output. One of them could be the severity

whotwagner avatar Mar 18 '22 09:03 whotwagner