Apache anomaly detection configurations
editApache anomaly detection configurations
editThese anomaly detection job wizards appear in Kibana if you use the Apache integration in Fleet or you use Filebeat to ship access logs from your Apache HTTP servers to Elasticsearch. The jobs assume that you use fields and data types from the Elastic Common Schema (ECS).
Apache access logs
editThese anomaly detection jobs find unusual activity in HTTP access logs.
For more details, see the datafeed and job definitions in GitHub. Note that these jobs are available in Kibana only if data exists that matches the datafeed query.
- low_request_rate_apache
-
Detects low request rates.
- Job details
-
-
Analyzes request rates (using the
low_count
function).
-
Analyzes request rates (using the
- Required Beats or Elastic Agent integrations
-
- Apache integration
- source_ip_request_rate_apache
-
Detects unusual source IPs.
- Job details
-
-
Analyzes request rates (using the
high_count
function) relative to all the source IPs (over_field_name
issource.address
).
-
Analyzes request rates (using the
- Required Beats or Elastic Agent integrations
-
- Apache integration
- source_ip_url_count_apache
-
Detects unusual source IPs.
- Job details
-
-
Analyzes distinct counts of URLs (using the
high_distinct_count
function on theurl.original
field) relative to all the source IPs (over_field_name
issource.address
).
-
Analyzes distinct counts of URLs (using the
- Required Beats or Elastic Agent integrations
-
- Apache integration
- status_code_rate_apache
-
Detects unusual status code rates.
- Job details
-
-
Analyzes request rates (using the
count
function) split by status code (partition_field_name
ishttp.response.status_code
).
-
Analyzes request rates (using the
- Required Beats or Elastic Agent integrations
-
- Apache integration
- visitor_rate_apache
-
Detects unusual visitor rates.
- Job details
-
-
Analyzes request rates using the
non_zero_count
function.
-
Analyzes request rates using the
- Required Beats or Elastic Agent integrations
-
- Apache integration
Apache access logs (Filebeat)
editThese legacy anomaly detection jobs find unusual activity in HTTP access logs. For the latest versions, install the Apache integration in Fleet; see Apache access logs.
For more details, see the datafeed and job definitions in GitHub.
These configurations are only available if data exists that matches the recognizer query specified in the manifest file.
- low_request_rate_ecs
-
Detects low request rates.
- Job details
-
-
Analyzes request rates (using the
low_count
function).
-
Analyzes request rates (using the
- Required Beats or Elastic Agent integrations
-
- Filebeat
- source_ip_request_rate_ecs
-
Detects unusual source IPs.
- Job details
-
-
Analyzes request rates (using the
high_count
function) relative to all the source IPs (over_field_name
issource.address
).
-
Analyzes request rates (using the
- Required Beats or Elastic Agent integrations
-
- Filebeat
- source_ip_url_count_ecs
-
Detects unusual source IPs.
- Job details
-
-
Analyzes distinct counts of URLs (using the
high_distinct_count
function on theurl.original
field) relative to all the source IPs (over_field_name
issource.address
).
-
Analyzes distinct counts of URLs (using the
- Required Beats or Elastic Agent integrations
-
- Filebeat
- status_code_rate_ecs
-
Detects unusual status code rates.
- Job details
-
-
Analyzes request rates (using the
count
function) split by status code (partition_field_name
ishttp.response.status_code
).
-
Analyzes request rates (using the
- Required Beats or Elastic Agent integrations
-
- Filebeat
- visitor_rate_ecs
-
Detects unusual visitor rates.
- Job details
-
-
Analyzes request rates using the
non_zero_count
function.
-
Analyzes request rates using the
- Required Beats or Elastic Agent integrations
-
- Filebeat