How do you create effective anomaly detectors? What features should you have enabled?

I want to create an anomaly detector for outbound destination IPs?

I currently have these features enabled:

  1. AvgBytes
  2. AvgElapsedTime
  3. MaxPackets

With the filter DestinationIP.keyword on?

How do I determine if I am creating an effective baseline? Should I have more or less features?

Sorry to reply late. It’s hard to say how many features and what feature is better. Suggest to test with your data first. Suggest to use historical detector to run anomaly detection on historical data, then you can review result and tune your feature.