Count Functions

Detect anomalies where the count of events in a bucket is anomalous.

Use non_zero_count functions if your data is sparse and you wish to ignore cases where the bucket count is zero.

Use distinct_count functions to analyze when the number of distinct values in one field is unusual, as opposed to the total count.

Use high_ sided functions if you wish to monitor unusually high event rates. Use low_ sided functions if you wish to look at drops in event rate.

count [by field1] [over field2]
high_count [by field1] [over field2]
low_count [by field1] [over field2]

non_zero_count [by <field1>]
high_non_zero_count [by <field1>]
low_non_zero_count [by <field1>]

distinct_count(field1) [by field2] [over field3]
distinct_high_count(field1) [by field2] [over field3]
distinct_low_count(field1) [by field2] [over field3]

Note: Unless documented otherwise above, by and over fields can be applied to every function. Further configuration options are available, which are described in the Detector Configuration section:

function(field1) [by <field2>] [over <field3>] [partitionfield=<field4>] [summarycountfield=<field5>] [categorizationfield=<field6>] [excludefrequent=true] [usenull=true]

count

Detect anomalies where the count of events in a bucket is anomalous. Use high_ sided functions if you wish to monitor unusually high event rates. Use low_ sided functions if you wish to look at drops in event rate.

Example 1

Probably the simplest possible analysis! Flags up buckets during which the overall count of events is higher or lower than usual.

count
  • Models the event rate
  • Detects when the event rate is unusual compared to the past

Example 2

high_count by errorCode over user
  • Models the event rate for each errorCode
  • Detects users that generate an unusually high count of errorCodes compared to other users

non_zero_count

Using non_zero_count allows analysis to be performed on data which is known to have gaps or be sparse, and when the gaps are not considered important. Use high_ sided functions if you wish to monitor unusually high event rates. Use low_ sided functions if you wish to look at drops in event rate.

Note: Population analysis (i.e. using an over field) is not applicable for this analysis function.

Example 1

high_non_zero_count by signaturename
  • Models the count of events for signaturename’s
  • Ignores any buckets where the count is zero
  • Detects when a signaturename has an unusually high count of events compared to its past

distinct_count

Detect anomalies where the number of distinct values in one field is unusual. Available with both high_ and low_ sided functions, for use if you wish to look at unusually high or unusually low distinct counts.

Example 1

Detect when a system has an unusual number of logged in users.

distinct_count(user)
  • Models the distinct count of users
  • Detects when the distinct number of users is unusual compared to the past

Example 2

Detect instances of port scanning.

high_distinct_count(dst_port) over src_ip
  • Models the distinct count of ports
  • Detects src_ip’s that connect to an unusually high number of different dst_ports compared to other src_ip’s

See also

This page

Browse

You are here