Anomaly detection

Hi There,

I am looking for some guidance i order to try out the “Amonaly Detection” feature. I am trying to accomplish 1 usecase . Trying to detect user account login anomaly leveraling windows logs.
So far it seems like i am hitting a dead end with trying to create a detector that can do this. Any help on this would be greatly appreciated. Thanks in advance.

hi, @karmine

Can you explain more details? Can you share your detector configuration? Is your windows log streaming data?
Is it possible the windows log missing during detection interval ? For example, your detector’s interval is 10 minutes, is it possible that windows log may be missing in last 10 minutes?

sorry took me a while to get back to this. I can confirm the follow.
This how the Detector was set up, but I believe this is what I am doing wrong
Detector interval - 5 Minutes
Data filter -
- event_id is in range from 4624 to 4625
- source_name is Microsoft-Windows-Security-Auditing

Fetaures -
“aggs”: {
“avg”: {
“field”: “event_id”

This is obviously not producing the result i am expecting.
what i am trying to do is detect anomalous user login Activity & I can confirm that our data stream and integrity is right.

Any help would be much appreciated .

hi, @karmine

Can you check anomaly result in index .opendistro-anomaly-results* ? If there is any error, you can find in the index.

Hi ylwu,

Sorry for not being very specific from get-going. The issue i am having is not related to any errors.
The expected output is am getting is not what i am expecting. I believe the way i am setting it up is not the right way. So i am hoping if some one can help to direct me to a usecase that i am look at to make a usecase for my need.

I wanna build a use case to detect Anomalous user login activity ?

@karmine, will a tutorial blog which shows a similar case solve your problem?

Definitely … That would be awesome.

I am having the same issue. Please link to a tutorial blog …

@karmine , @sera4000 , thanks for your feedback, we are working on a tutorial blog, will share the link once done.

Thank you. Just to update i am eagerly waiting on the blog.

Yes - waiting for this … any ETA?

1 Like

Hey there… I was trying to explore Anomaly Detection feature in OpenSearch Dashboards.
I am stuck at a point, where the detectors with the Category Field enabled, would always be in the initializing state for hours together, though my input data is not so big. Anyone faced this anytime?

hi, all, we have release OpenSearch 1.1 and updated AD documentation Anomaly detection - OpenSearch documentation, can you check this doc first? Welcome any question, we can tune the documentation to make it easier to follow.

Could you share more details?

For example, could you run profile API and paste your results here? Want to check the initialization progress. Also, do you have enough data in the history before starting the detector? We recommend 1440 continuous points. So if your detector interval is 10 minutes, we expect 10 days of dense data.