Information Content Functions

Detect anomalies in the amount of information contained in strings within a bucket. This can be used as a more sophisticated method to identify incidences of data exfiltration or C2C activity, when analyzing the size in bytes of the data may not be sufficient.

info_content(field1) [by <field2>] [over <field3>]
high_info_content(field1) [by <field2>] [over <field3>]
low_info_content(field1) [by <field2>] [over <field3>]

Note: Further configuration options are available, which are described in the Detector Configuration section:

function(field1) [by <field2>] [over <field3>] [partitionfield=<field4>] [summarycountfield=<field5>] [categorizationfield=<field6>] [excludefrequent=true] [usenull=true]


info_content(subdomain) over highest_registered_domain
  • Models information present in the subdomain string
  • Detect anomalies where the information content is unusual compared to the other highest_registered_domains

An anomaly could indicate an abuse of the DNS protocol, such as malicious command and control activity. Both high and low values are considered anomalous. In many use cases, high_info_content is often a more appropriate choice.


high_info_content(query) over src_ip
  • Models information content held in the DNS query string
  • Detect src_ip’s where the information content is unusually high compared to other src_ip’s

Similar to the first example, but only reports anomalies where the amount of information content is higher than expected. This configuration identifies activity typical of DGA malware.


low_info_content(message) by logfilename
  • Models information content present in the message string for each logfilename
  • Detects anomalies where the information content is low compared to its past

This will detect unusually low amounts of information in a collection of rolling log files. Low information may indicate that a process has entered an infinite loop or logging features may have been disabled.

See also

This page


You are here