Filter machine learning actual values


(al) #1

i want to diagnostic brute force attacks on source ip . my query is login fail on logs.
i see this type anomalies by machine learning :

i think there is not anomaly for src ip : , because actual value is 2 .
how can i set configs for anomaly actual value ?
for this example actual >= 200

can i create such machine learnings by aggregated machine learnings and filter doc_count ?
i think this is a bad solution because records ommited from machine learnings.
i want filtered actual vaule affect on max severity.

(Dimitris Athanasiou) #2

Hi Al,

This is a great question! In cases like this, the result where the actual value is 2 is indeed mathematically anomalous. However, there is domain knowledge that renders such anomalies not interesting to you.

With the current state of the product, you could use watcher to ensure anomalies with an actual value less than 200 are excluded from alerting.

The ability to provide domain knowledge to the model is currently an area of investigation for us as we are working on finding the best way to allow our users to do so. We hope that there will be an easily configurable solution to this problem in an upcoming release.

Thank you for the valuable feedback.

Kind regards,

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.