Malcolm uses the Anomaly Detection plugins for OpenSearch and OpenSearch Dashboards to identify anomalous log data in near real-time using the Random Cut Forest (RCF) algorithm. This can be paired with Alerting to automatically notify when anomalies are found. See Anomaly detection in the OpenSearch documentation for usage instructions on how to create detectors for any of the many fields Malcolm supports.
A fresh installation of Malcolm configures several detectors for anomalous network traffic:
event.action), result (
event.result) and user (
related.user) within application protocols (
These detectors are disabled by default, but may be enabled for anomaly detection over streaming or historical data.