Skip to content

Latest commit

 

History

History
12 lines (8 loc) · 1.58 KB

anomaly-detection.md

File metadata and controls

12 lines (8 loc) · 1.58 KB

Anomaly Detection

Malcolm uses the Anomaly Detection plugins for OpenSearch and OpenSearch Dashboards to identify anomalous log data in near real-time using the Random Cut Forest (RCF) algorithm. This can be paired with Alerting to automatically notify when anomalies are found. See Anomaly detection in the OpenSearch documentation for usage instructions on how to create detectors for any of the many fields Malcolm supports.

A fresh installation of Malcolm configures [several detectors]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/dashboards/anomaly_detectors) for anomalous network traffic:

  • network_protocol - Detects anomalies based on application protocol (network.protocol)
  • action_result_user - Detects anomalies in action (event.action), result (event.result) and user (related.user) within application protocols (network.protocol)
  • file_mime_type - Detects anomalies based on transferred file type (file.mime_type)
  • total_bytes - Detects anomalies based on traffic size (sum of network.bytes)

These detectors are disabled by default, but may be enabled for anomaly detection over streaming or historical data.