- An Alarm is generated for each match.
- Build a watchlist with one or more fields
- For each matching event, add a record to the watchlist
- For each record changed, count the total number of matching records
- Alarms when Threshold exceeds a specified value
- Watchlist records are removed based on time since creation
- Manually add records to a watchlist of one or more fields
- For each matching event, compare to existing records
- Alarm if matching event matches all the fields of any record
- Manually add records to a watchlist of one or more fields
- For each matching event, compare to existing records
- Alarm if matching event does NOT match all the fields of any record
(AKA sliding window)
- Build a watchlist with one or more fields, including a counter field
- For each matching event, add a record to the watchlist or increment the counter of the matching record
- Alarm when a new entry is observed (counter value == 1)
- Alarm when a counter exceeds a specified threshold
- Watchlist entries are removed based on age of last edited time
- Build watchlist with one or more fields, including a numeric 'baseline' field
- For each matching event, add a record to the watchlist and calculate the average of all records' baseline value
- Matching events have their selected numeric field compared with the average baseline value
- Alarm if percentage of difference between matched event and baseline average exceeds a set value or percentage
- Watchlist records are removed based on time since creation
- Build a watchlist of one or more fields, including start time of day and end time of day
- For each matching event, determine if time of event falls between matching records' start time of day and end time of day
- Alarm if event time is not within start and stop times
- Build a watchlist of one or more fields, including one for each day of week
- For each matching event, determine if matching record's matching day of week field is FALSE
- Alarm if matching record's day of week field is FALSE
- For matching alarm event, store in a watchlist
- For next matching alarm event, compare to watchlist for matches in one or more properties.
- Alarm if match is found
(AKA Edit Distance; AKA Similarity Score)
https://en.wikipedia.org/wiki/Levenshtein_distance
A score of 0 means both strings are equal.
- Build a watchlist of words to match against
- For each matching event, calculate levenshtein score of selected field value against each entry in watchlist
- Alarm if any score falls below a given threshold
(AKA Frequency Score; AKA randomness score)
https://en.wikipedia.org/wiki/Entropy_(information_theory)
A higher score means the string has a higher level of randomness.
-
For each matching event, calculate Shannon Entropy Score of selected field value
-
Alarm if any score falls below a given threshold
-
Calculating the randomness of strings and Alarming when the score exceeds a given threshold.
- Silence identical alarms for X time period
- Group identical alarms when X or more fire in Y time period
(AKA Stack Count; AKA Long Tail Analysis) Also known as stacking or least frequency of occurrence analysis (LFO), this method involves counting the number of occurrences of each unique value and sorting them in ascending order. The values with the lowest counts are considered outliers. In some cases, this can be reversed, with the values with the highest counts being considered the outliers, but this is relatively rare.
Z-score When dealing with numeric values, a statistical test like z-score can be used. This test looks for values that are ± a certain threshold from the standard deviation. Typically, this threshold is two or three standard deviations.