Versions - v2.18.0
Query:
I’m very new to the Anomaly detector feature in Opensearch but I was wondering if it’s possible to use the Anomaly detector to pick up anomalies in regards to DDoS related traffic/High requests. For example, I had the idea that the anomaly detector could be configured to detect anomalies where for example a particular country or IP address comes up more often than not and this can be detected and have an alert created based on this being detected.
For example, I currenty have a detector configured to pick up the country name and IP where the aggregation method is set to count() where I assumed it would count how many of these occurrences come up and if there is an event that triggers more events than usual it would detect this anomaly and let me know what IP and/or country name has caused it to trigger. However, all I can see is a graph telling me how many occurrences there have been but when an anomaly is detected it doesn’t tell me what IP or country name etc has caused the anomaly and not sure if it is meant to or not if I’m not using it correctly.
So firstly, was wondering if this is even possible with the anomaly detector, if so is my approach to doing this the correct one? Or if not, is there something else in Opensearch that would be better suited for this use case?