{"id":13783280,"url":"https://github.com/NVISOsecurity/ee-outliers","last_synced_at":"2025-05-11T18:31:32.595Z","repository":{"id":37864065,"uuid":"161357266","full_name":"NVISOsecurity/ee-outliers","owner":"NVISOsecurity","description":"Open-source framework to detect outliers in Elasticsearch events","archived":true,"fork":false,"pushed_at":"2023-05-22T21:36:43.000Z","size":4107,"stargazers_count":204,"open_issues_count":33,"forks_count":35,"subscribers_count":21,"default_branch":"master","last_synced_at":"2024-05-18T22:22:00.711Z","etag":null,"topics":["anomaly-detection","cirt","ee-outliers","machine-learning","ml","netsec","outlier-detection","outliers","security-monitoring","security-operations","siem","statistical-analysis","statistics","threat-hunting"],"latest_commit_sha":null,"homepage":"https://blog.nviso.eu","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NVISOsecurity.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-12-11T15:49:39.000Z","updated_at":"2024-04-15T22:37:43.000Z","dependencies_parsed_at":"2024-01-15T09:05:43.224Z","dependency_job_id":"408623a5-6f51-4c05-b445-ead126388d8f","html_url":"https://github.com/NVISOsecurity/ee-outliers","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fee-outliers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fee-outliers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fee-outliers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fee-outliers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NVISOsecurity","download_url":"https://codeload.github.com/NVISOsecurity/ee-outliers/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253613290,"owners_count":21936249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anomaly-detection","cirt","ee-outliers","machine-learning","ml","netsec","outlier-detection","outliers","security-monitoring","security-operations","siem","statistical-analysis","statistics","threat-hunting"],"created_at":"2024-08-03T19:00:17.901Z","updated_at":"2025-05-11T18:31:31.921Z","avatar_url":"https://github.com/NVISOsecurity.png","language":"Python","funding_links":[],"categories":["Elasticsearch plugins"],"sub_categories":["Cluster"],"readme":"\n# ee-outliers \nFramework to easily detect outliers in Elasticsearch events.\n\n*Developed in Python and fully dockerized!*\n\n![version badge](https://img.shields.io/badge/version-0.2.19-blue \"verion 0.2.19\")\n![tests badge](https://img.shields.io/badge/unit_tests-254-orange \"254 unit tests\")\n\n## Documentation\n\n### Introduction\n- [What is ee-outliers?](#what-is-ee-outliers)\n- [Why ee-outliers?](#why-ee-outliers)\n- [How it works](#how-it-works)\n\n### Using ee-outliers\n- [Getting started](documentation/GETTING_STARTED.md)\n- [Configuration parameters](documentation/CONFIG_PARAMETERS.md)\n- [Example use cases](use_cases/examples)\n- [Building detection use cases](documentation/CONFIG_OUTLIERS.md)\n- [Whitelisting outliers](documentation/WHITELIST.md)\n- [Notifications](documentation/NOTIFICATIONS.md)\n- [Information for developers](documentation/DEVELOPMENT.md)\n\n### Misc.\n- [Contact](#contact)\n- [Acknowledgements](#acknowledgements)\n- [License](#license)\n- [Screenshots](documentation/SCREENSHOTS.md)\n\n\n## What is ee-outliers?\nee-outliers is a framework to detect statistical outliers in events stored \nin an Elasticsearch cluster. It uses easy to write user-defined configuration files \nto decide which \u0026 how events should be analysed for outliers.\n\nThe framework was developed for the purpose of detecting anomalies in \nsecurity events, however it could just as well be used for the detection \nof outliers in other data.\n\nThe only thing you need is Docker and an Elasticsearch cluster and you are\nready to start your hunt for outlier events!\n\n## Why ee-outliers?\nAlthough we love Elasticsearch, its search language is still lacking support \nfor complex queries that allow for advanced analysis and detection of outliers -\nfeatures we came to love while using other tools such as Splunk.\n \nThis framework tries to solve these limitations by allowing the user to write \nsimple use cases that can help in spotting outliers in your data using statistical \nand models. Machine learning models are under development.\n\n## How it works\n\nThe framework makes use of statistical models that are easily defined by the user \nin a configuration file. In case the models detect an outlier, the relevant \nElasticsearch events are enriched with additional outlier fields. These fields \ncan then be dashboarded and visualized using the tools of your choice \n(Kibana or Grafana for example).\n\nThe possibilities of the type of anomalies you can spot using ee-outliers \nis virtually limitless. A few examples of types of outliers we have detected\nourselves using ee-outliers during threat hunting activities include:\n\n-\tDetect beaconing (DNS, TLS, HTTP, etc.)\n-\tDetect geographical improbable activity\n-\tDetect obfuscated \u0026 suspicious command execution\n-\tDetect fileless malware execution\n-\tDetect malicious authentication events\n-\tDetect processes with suspicious outbound connectivity\n-\tDetect malicious persistence mechanisms (scheduled tasks, auto-runs, etc.)\n-\t…\n\nVisit the page [Getting started](documentation/GETTING_STARTED.md) to get \nstarted with outlier detection in Elasticsearch yourself!\n\n## Contact\n\nee-outliers is developed \u0026 maintained by NVISO Labs.\n\nYou can reach out to the developers of ee-outliers by creating an issue in github.  \nFor any other communication, you can reach out by sending us an e-mail \nat [research@nviso.be](mailto:research@nviso.be).\n\nWe write about our research on our blog: https://blog.nviso.eu  \nYou can follow us on twitter: https://twitter.com/NVISO_Labs\n\nThank you for using ee-outliers and we look forward to your feedback! 🐀\n\n## License\n\nee-outliers is released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3).\n[LICENSE](LICENSE)\n\n## Acknowledgements\nWe are grateful for the support received by \n[INNOVIRIS](https://innoviris.brussels/) and the Brussels region in \nfunding our Research \u0026 Development activities. \n\n\u003cp align=\"right\"\u003e\u003ca href=\"documentation/GETTING_STARTED.md\"\u003eGetting started \u0026#8594;\u003c/a\u003e\u003c/p\u003e\n\n\u003cp align=\"left\"\u003e \n\u003cimg alt=\"NVISO Labs logo\" src=\"documentation/images/NVISO%20Labs%20standard%20logo.png?raw=true\" width=\"200\"/\u003e\u003cbr/\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNVISOsecurity%2Fee-outliers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNVISOsecurity%2Fee-outliers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNVISOsecurity%2Fee-outliers/lists"}