The SENTINL anomaly detection mechanism is based on the three-sigma rule of thumb. In short, anomalies are the values which lie outside a band around the mean in a normal distribution with a width of two, four and six standard deviations (68.27%, 95.45% and 99.73%).
Let's do an example. We will take a credit card dataset.
- Create a new watcher.
- In watcher editor, inside
Input
tab insert Elasticsearch query to get the credit card transactions dataset.
{
"search": {
"request": {
"index": [
"credit_card"
],
"body": {
"size": 10000,
"query": {
"bool": {
"must": [
{
"exists": {
"field": "Amount"
}
}
]
}
}
}
}
}
}
- In the
Condition
tab specify a minimum number of results to look forpayload.hits.total > 0
and a field name in which to look for anomalies,Amount
in our example.
{
"script": {
"script": "payload.hits.total > 0"
},
"anomaly": {
"field_to_check": "Amount"
}
}
- In
Action
tab createemail html
action. InBody HTML field
render all the anomalies you have in thepayload.anomaly
using mustache syntax.
<h1 style="background-color:DodgerBlue;color:white;padding:5px">Anomalies</h1>
<div style="background-color:Tomato;color:white;padding:5px">
<ul>
{{#payload.anomaly}}
<li><b>id:</b> {{_id}} <b>Amount</b>: {{_source.Amount}}</li>
{{/payload.anomaly}}
</ul>
</div>
As a result, we have an email with a list of anomaly transactions.
Also, the list of anomalies was indexed in today's alert index watcher_alarms-{year-month-date}
.