Anomaly detection

Hi There,

I am looking for some guidance i order to try out the “Amonaly Detection” feature. I am trying to accomplish 1 usecase . Trying to detect user account login anomaly leveraling windows logs.
So far it seems like i am hitting a dead end with trying to create a detector that can do this. Any help on this would be greatly appreciated. Thanks in advance.

hi, @karmine

Can you explain more details? Can you share your detector configuration? Is your windows log streaming data?
Is it possible the windows log missing during detection interval ? For example, your detector’s interval is 10 minutes, is it possible that windows log may be missing in last 10 minutes?

sorry took me a while to get back to this. I can confirm the follow.
This how the Detector was set up, but I believe this is what I am doing wrong
Detector interval - 5 Minutes
Data filter -
- event_id is in range from 4624 to 4625
- source_name is Microsoft-Windows-Security-Auditing

Fetaures -
“aggs”: {
“avg”: {
“field”: “event_id”

This is obviously not producing the result i am expecting.
what i am trying to do is detect anomalous user login Activity & I can confirm that our data stream and integrity is right.

Any help would be much appreciated .

hi, @karmine

Can you check anomaly result in index .opendistro-anomaly-results* ? If there is any error, you can find in the index.

Hi ylwu,

Sorry for not being very specific from get-going. The issue i am having is not related to any errors.
The expected output is am getting is not what i am expecting. I believe the way i am setting it up is not the right way. So i am hoping if some one can help to direct me to a usecase that i am look at to make a usecase for my need.

I wanna build a use case to detect Anomalous user login activity ?

@karmine, will a tutorial blog which shows a similar case solve your problem?

Definitely … That would be awesome.

I am having the same issue. Please link to a tutorial blog …

@karmine , @sera4000 , thanks for your feedback, we are working on a tutorial blog, will share the link once done.

Thank you. Just to update i am eagerly waiting on the blog.

Yes - waiting for this … any ETA?

1 Like