It might be interesting to check which session metrics would result in a high anomaly rating (e.g. "bitcount": ">= 3"
) before enabling enforcement rules.
- To search for sessions in our
BookShop
example that have >= 3
active anomaly indicators, we run: A note on the above request: It is always advisable to restrict the time frame and select an application to reduce the data processing time.
- The output will be something like this:
- From here, you may want to analyze the suspicious session using Logviewer.
- Use the session ID (
sess_id
) for a Kibana search for a detailed view. - Alternatively: Use the session ID (
sess_id
) with the airlock-elasticsearch-query
tool for a quick view.
The query may look like follows:
The apply_models subcommand is quite versatile, please consult the tools to help to see the full capability: