The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
All anomaly event messages generated by Graylog's anomaly detection tool have common fields and additional, detector-specific fields, depending on which detector the messages originate from. These anomaly fields are described in the anomaly detectors index depending on which detectors are enabled. The common message fields that are populated in all anomaly event messages are described in the following index.
Common Fields
Field Name | Values | Notes | Example |
---|---|---|---|
anomaly_approximate_start_time
|
Timestamp | The approximate time when the anomaly happened. If customers are using OpenSearch 1.2 or later, this value comes directly from OpenSearch. On OpenSearch 1.1, this will be the halfway point between anomaly_data_start_time and anomaly_data_end_time . |
2022-03-09 15:23:28 |
anomaly_confidence
|
Numeric 0.00 - 1.00 | The probability of the accuracy of the anomaly_score . The closer this number is to 1, the higher the accuracy. |
0.5 |
anomaly_data_end_time
|
Timestamp | The end of the detection range of the aggregated data. | 2022-03-09 15:25:28 |
anomaly_data_start_time
|
Timestamp | The start of the detection range of the aggregated data. | 2022-03-09 15:21:20 |
anomaly_detector_id
|
String | The unique id of the anomaly detector. Non-human-readable and really only useful if someone is trying to use the OpenSearch APIs directly. | xBcAin8BhVrcFRn8vhUX |
anomaly_detector_name
|
String | The name of the anomaly detector. These names are controlled by Graylog and is a limited and well-defined set. | windows_brute_force_logon
|
anomaly_execution_end_time
|
Timestamp | The actual end time of the detector for a specific run that produces the anomaly result. | 2022-03-09 15:26:28 |
anomaly_execution_start_time
|
Timestamp | The actual start time of the detector for a specific run that produces the anomaly result. | 2022-03-09 15:23:28 |
anomaly_feature_name
|
String | Name of the field or fields that the anomaly detection engine was analyzing for anomalous values (may not be useful for users). | anomdet_windows_logon_failed
|
anomaly_grade
|
Numeric 0.00 - 1.00 | Number between 0 and 1 that indicates how anomalous a data point is. An anomaly grade of 0 represents “not an anomaly,” and a non-zero value represents the relative severity of the anomaly. This is a normalized version of anomaly_score . |
0.5 |
anomaly_score
|
Numeric | Indicates relative severity of an anomaly. The higher the score, the more anomalous a data point is. | 3.875 |
event_source_product
|
String | Identifies anomaly msgs for identification and pipeline routing purposes. (Same value as field source) | cell |
message
|
String | Standard message field in all Graylog messages. Default format is [<detector_name>] Anomaly - |
graylog_anomaly
|
source
|
String | Standard source field in all Graylog messages. Will always be set to graylog_anomaly . (Same value as event_source_product .) |
graylog_anomaly
|
timestamp
|
Timestamp | Standard timestamp field in all Graylog messages. Will be set to the time when Graylog pulled the anomaly data from OpenSearch, not directly related to when the anomaly happened. | 2022-03-09 15:31:52 |