The second job will help the analysts detect suspicious client behaviors with respect to the volume of requests per response code. Here are the steps to configure this job:
- Access the Machine Learning section in Kibana and create a new Advanced job on the NASA access logs index:
- Name the job in the Job Details panel:
- Finally, add the following detector in the Analysis Configuration panel, add response.keyword and clientip.keyword as influencers, and save the job:
- After running the job and accessing the Anomaly Explorer view, you should get results that are similar to the following ones:
- If you click on one of the red square anomalies, you will get the following details:
The preceding host has unusually high volumes of 200 and 404 response codes compared to the rest of the hosts.