scoreByLeastFrequency
Score events by frequency.
Score a given table based on how frequently a unique group of the specified columns occurs. Higher scores are given to less frequent occurrences. The output table adds an additional lhub_score column that contains the score.
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Score by Least Frequency operator in the search field and select the operator from the Results to open the operator form.
- In the Input Table drop-down, enter or select the name of the table containing the data to run this operator on.
- Optional. In the Columns drop-down, enter or select the columns to group events by.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
scoreByLeastFrequency(inputTable, columns)
Input
inputTable: Table containing the data to run this operator on.
`columns': Comma-separated list of columns to group events by.
Output
The input table with an additional lhub_score column that contains the score [0.0 - 10.0]. Less frequently occurring groups get higher scores.
Example
Input
table
| id | destIP | destPort |
|---|---|---|
| 1 | 192.68.0.1 | 3250 |
| 2 | 192.68.0.1 | 3250 |
| 3 | 192.68.0.1 | 3250 |
| 4 | 53.32.124.8 | 7458 |
| 5 | 192.68.0.1 | 3250 |
| 6 | 192.68.0.1 | 3250 |
scoreByLeastFrequency(table, "destIP", "destPort")
Output
| id | destIP | destPort | lhub_score |
|---|---|---|---|
| 1 | 192.68.0.1 | 3250 | 0.0 |
| 2 | 192.68.0.1 | 3250 | 0.0 |
| 3 | 192.68.0.1 | 3250 | 0.0 |
| 4 | 53.32.124.8 | 7458 | 10.0 |
| 5 | 192.68.0.1 | 3250 | 0.0 |
| 6 | 192.68.0.1 | 3250 | 0.0 |
Updated about 2 years ago