Using Anomaly Detection Plugin to Identify External IP Log Entries

Aarav · July 23, 2024, 2:42pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): OpenSearch 2.8 with Dashboard.

Describe the issue:
Sure, here’s a suggested way to phrase your question to the OpenSearch community:

Title: Using Anomaly Detection Plugin to Identify External IP Log Entries

Hi everyone,

I’m currently working with OpenSearch and would like to leverage the anomaly detection plugin to monitor and identify log entries from IP addresses that fall outside a specified subnet. Specifically, I want to detect anomalies when logs are received from IP addresses that are not part of a given internal subnet (e.g., 192.168.0.0/24).

Could anyone provide guidance or examples on how to set up and configure the anomaly detection plugin to achieve this? Any advice on best practices, potential pitfalls, or alternative approaches would also be greatly appreciated.

Thank you!

gaobinlong · July 24, 2024, 9:10am

Anomaly detector can only analyze keyword type or numeric type field, may not analyze ip type field, so for ip type field, you can try using alerting plugin directly, create an buckets monitor, if there’re some unexpected ip addresses, trigger an alert:

PUT testindex 
{
  "mappings" : {
    "properties" :  {
      "ip_address" : {
        "type" : "ip"
      }
    }
  }
}

PUT testindex/_doc/1 
{
  "ip_address" : "10.24.34.0"
}

PUT testindex/_doc/2
{
  "ip_address" : "192.168.0.1"
}


GET testindex/_search
{
  "size": 0,
  "aggs": {
    "access": {
      "ip_range": {
        "field": "ip_address",
        "ranges": [
          { "to": "192.168.0.0" },
          { "from": "192.168.255.0" }
        ]
      }
    }
  }
}

, the response of the ip_range aggregation shows that there’s an unexpected ip which is not in the subnet 192.168.0.0/24:

{
  "took": 1,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 2,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "access": {
      "buckets": [
        {
          "key": "*-192.168.0.0",
          "to": "192.168.0.0",
          "doc_count": 1
        },
        {
          "key": "192.168.255.0-*",
          "from": "192.168.255.0",
          "doc_count": 0
        }
      ]
    }
  }
}

Aarav · July 24, 2024, 10:18am

gaobinlong:

"aggs": {
    "access": {
      "ip_range": {
        "field": "ip_address",
        "ranges": [
          { "to": "192.168.0.0" },
          { "from": "192.168.255.0" }
        ]
      }
    }
  }

Hey,

I am new to opensearch, can please completely guide me through the process. I saw Per bucket monitor and got confused in how to write triggers and actions for the task i mentioned.

Regards,
Aarav

gaobinlong · July 25, 2024, 7:44am

You can check the documentation of alerting for more details: Alerting - OpenSearch Documentation.

Aarav · July 25, 2024, 11:41am

Thank you for the guidance. This is all static, what should i do in case I wanted to do this dyanamically.

gaobinlong · July 26, 2024, 4:01am

You can all the alerting API: API - OpenSearch Documentation.

system · September 24, 2024, 4:02am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Security Analytics Receive Alerts from Alerting Plugin Security Analytics	3	286	July 3, 2023
Using Anomaly Detection to detect sudden increases or decreases in the amount of logs received for an index Machine Learning troubleshoot	2	523	February 16, 2022
Support URLs instead of IPs on external_opensearch option for audit logs Security	3	282	September 15, 2023
Anomaly detection Url based detection OpenSearch	7	334	February 1, 2023
Feedback: Experimental Feature - Security Analytics General Feedback	10	799	January 3, 2023

Using Anomaly Detection Plugin to Identify External IP Log Entries

Related topics