Apache anomaly detection configurations

edit

These anomaly detection job wizards appear in Kibana if you use the Apache integration in Fleet or you use Filebeat to ship access logs from your Apache HTTP servers to Elasticsearch. The jobs assume that you use fields and data types from the Elastic Common Schema (ECS).

Apache access logs

edit

These anomaly detection jobs find unusual activity in HTTP access logs.

For more details, see the datafeed and job definitions in GitHub. Note that these jobs are available in Kibana only if data exists that matches the datafeed query.

low_request_rate_apache

Detects low request rates.

Job details
Required Beats or Elastic Agent integrations
  • Apache integration
source_ip_request_rate_apache

Detects unusual source IPs.

Job details
  • Analyzes request rates (using the high_count function) relative to all the source IPs (over_field_name is source.address).
Required Beats or Elastic Agent integrations
  • Apache integration
source_ip_url_count_apache

Detects unusual source IPs.

Job details
  • Analyzes distinct counts of URLs (using the high_distinct_count function on the url.original field) relative to all the source IPs (over_field_name is source.address).
Required Beats or Elastic Agent integrations
  • Apache integration
status_code_rate_apache

Detects unusual status code rates.

Job details
  • Analyzes request rates (using the count function) split by status code (partition_field_name is http.response.status_code).
Required Beats or Elastic Agent integrations
  • Apache integration
visitor_rate_apache

Detects unusual visitor rates.

Job details
Required Beats or Elastic Agent integrations
  • Apache integration

Apache access logs (Filebeat)

edit

These legacy anomaly detection jobs find unusual activity in HTTP access logs. For the latest versions, install the Apache integration in Fleet; see Apache access logs.

For more details, see the datafeed and job definitions in GitHub.

These configurations are only available if data exists that matches the recognizer query specified in the manifest file.

low_request_rate_ecs

Detects low request rates.

Job details
Required Beats or Elastic Agent integrations
  • Filebeat
source_ip_request_rate_ecs

Detects unusual source IPs.

Job details
  • Analyzes request rates (using the high_count function) relative to all the source IPs (over_field_name is source.address).
Required Beats or Elastic Agent integrations
  • Filebeat
source_ip_url_count_ecs

Detects unusual source IPs.

Job details
  • Analyzes distinct counts of URLs (using the high_distinct_count function on the url.original field) relative to all the source IPs (over_field_name is source.address).
Required Beats or Elastic Agent integrations
  • Filebeat
status_code_rate_ecs

Detects unusual status code rates.

Job details
  • Analyzes request rates (using the count function) split by status code (partition_field_name is http.response.status_code).
Required Beats or Elastic Agent integrations
  • Filebeat
visitor_rate_ecs

Detects unusual visitor rates.

Job details
Required Beats or Elastic Agent integrations
  • Filebeat