Question & Answer
Question
How do I know when an anomaly rule will trigger when testing against a value, such as an event count?
Answer
Let's consider an anomaly rule that uses a test:
"when the average value (per interval) of Event Count(Sum) over the last 1 min is at least 50% different from the average value (per interval) of the same property over the last 5 mins."
For any anomaly rule, if the base value is zero, then it will not trigger. For example, if the base value increases from 0 to 50 counts, it will not trigger. However, if the base value changes from 50 to 100, or from 1 to 51, it will trigger.
Also, it will get triggered if the base value changes from 50 to 0 as the percentage value can be +50% or -50% from the expected value. Since in the above example. we are taking the average value for the last 5 minutes, the anomaly rule would be firing for the next 4 minutes till the average value goes down. For example, if there are 50 events coming for last 10 minutes after which the events stop, the average value will keep on dropping based on which the rule will get triggered as per the following table:
"when the average value (per interval) of Event Count(Sum) over the last 1 min is at least 50% different from the average value (per interval) of the same property over the last 5 mins."
For any anomaly rule, if the base value is zero, then it will not trigger. For example, if the base value increases from 0 to 50 counts, it will not trigger. However, if the base value changes from 50 to 100, or from 1 to 51, it will trigger.
Also, it will get triggered if the base value changes from 50 to 0 as the percentage value can be +50% or -50% from the expected value. Since in the above example. we are taking the average value for the last 5 minutes, the anomaly rule would be firing for the next 4 minutes till the average value goes down. For example, if there are 50 events coming for last 10 minutes after which the events stop, the average value will keep on dropping based on which the rule will get triggered as per the following table:
| Minute | Average count for last 5 minutes | Percentage of threshold | Result |
|---|---|---|---|
| 1st Minute | 50 | 100 % | Anomaly rule will trigger |
| 2nd Minute | 40 | 80 % | Anomaly rule will trigger |
| 3rd Minute | 30 | 70 % | Anomaly rule will trigger |
| 4th minute | 20 | 60 % | Anomaly rule will trigger |
| 5th Minute | 10 | 50 % | Rule does not trigger |
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GncCAAS","label":"QRadar->Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Product Synonym
QRadar;SIEM
Was this topic helpful?
Document Information
Modified date:
01 April 2020
UID
swg21903306