I have created several anomaly rules based upon saved views and having difficulty understanding the meaning of the anomaly description.
Created the following anomaly rule (specified a single log source to evaluate):
“Anomaly detection of border FW Traffic when time series data is being aggregated by Log Source and when the average value (per interval) of Event Count (Sum) over the last 30 mins is at least 100% different from the average value (per interval) of the same property over the last 1 week”
I thought what this logic would do is evaluate the traffic based on 30 minute intervals and compare it to the same 30 minute interval from the previous week, for example that Monday 1:00-1:30 would be compared to the previous Monday 1:00-1:30 and it would fire only if the value was 100% different (double). I purposefully chose to span 1 week for the aggregated data as I thought this would compare like for like traffic and easily identify anomalies. However this does not seem to be how it works, when the rule actually fired it states:
“Event Count (Sum) (Log Source is %LOG SOURCE NAME%) was aggregated over 30 intervals and the aggregate value was 100% different from the average (per interval) of the same property over the last 1 week at 1:09 PM”
Note it states 30 intervals were assessed, does this mean it evaluated 30 minute intervals x 30 = 900 minutes? The interpretation is ambiguous and the documentation I found seems light. Furthermore the 30 minute intervals appears to be a rolling 30 minutes (i.e. it is not discrete 9:00AM-9:30AM, but rather can be 9:01-9:31, 9:02-9:32, etc.) which makes interpretation even more difficult. We have a number of use cases where I would like to use the Anomaly and Behavioral rules so I would really like to understand them better.
If anyone has suggestions or a better explanation it would be appreciated.