Skip to content

How to Use Anomaly Detection

This guide explains how to configure and use Peakhour's Anomaly Detection system to identify unusual traffic patterns that may indicate security threats or operational issues.

Accessing Anomaly Detection

  1. Navigate to your Domain Dashboard.
  2. In the main navigation, under the "Security" section, click on Anomalies.

This will take you to two sub-sections:

  • Settings: Where you configure Anomaly Processors.
  • Events: Where you view detected anomalies.

Understanding Anomaly Processors

An Anomaly Processor is a configuration that defines what data to monitor and how to score it for unusual behavior. It continuously analyzes your traffic in near real-time.

Key Concepts:

  • Bucket Key: The primary field to group traffic by. For example, choosing Client will track the behavior of each individual IP address.
  • Anomaly Values: The metrics to measure for each bucket. For example, Hits will count the number of requests.
  • Score Type: The statistical algorithm used to determine if a pattern is anomalous. Zscore is a common choice that measures how far a data point is from the average.
  • Filter: An optional Wirefilter expression to only analyze a subset of your traffic (e.g., only requests to your login page).

Creating an Anomaly Processor

  1. Navigate to the Anomalies > Settings page.
  2. Click the Add New Processor button.
  3. A modal will appear with the configuration form, divided into sections.

General Settings

  • Name: Give your processor a descriptive name (e.g., "Login Page Brute Force Detector").
  • Bucket Key: Select the field to track. To detect attacks from a single source, Client (IP address) is a good choice.
  • Anomaly Values: Select the metrics to monitor. For request volume anomalies, choose Hits.
  • Filter (Optional): Enter a Wirefilter expression to narrow the scope. For a login detector, you might use http.request.uri.path == "/login".

Time Settings

  • Tick (s): How often (in seconds) the system collects data. A common value is 30.
  • Group by (s): The time window for each data point in the analysis. A common value is 60.

Score Settings

  • Score Type: Choose the detection algorithm. Zscore is a good starting point for volume-based anomalies.

  • Window Settings:

    • Window (s): The total time period of historical data to compare against. A larger window (e.g., 3600 for an hour) can detect slower-moving anomalies.
    • Min Hits: The minimum number of hits required within the window before scoring begins. This prevents flagging normal, low-traffic sources.
    • K: The sensitivity threshold (for Z-score). A higher value (e.g., 3 or 4) makes the detector less sensitive and results in fewer alerts.

  • Click Add Processor to save your configuration.

Viewing Anomaly Events

Once a processor is active, it will start generating events if it detects anomalous behavior.

  1. Navigate to the Anomalies > Events page.
  2. The page displays a timeline graph of anomaly events and a table listing each event.

The Events Table

  • When: The time the anomaly was detected.
  • Processor: The name of the processor that triggered the event.
  • Key: The specific value of the Bucket Key that was anomalous (e.g., the IP address 1.2.3.4).
  • Score: The anomaly score. Higher scores indicate a more significant deviation from the norm.
  • Type: The metric that was anomalous (e.g., Hits).
  • Data: The measured value of the metric at the time of the event.

Investigating an Event

  • View in Explorer: Click the Search icon in any event row to jump to the Log Explorer. The explorer will be pre-filtered to show the logs from the anomalous source during the time of the event, allowing you to see the exact requests that caused the anomaly.
  • Analysis Details: For some event types, you can expand the row to see a detailed breakdown of the traffic characteristics during the anomaly. This can help you understand why the traffic was flagged as unusual.