New Value Detector

The Charset Detector raises alerts when previously unseen characters appear in configured fields. It is useful to detect novelty, configuration drift, or the appearance of new actors in the environment.

	Schema	Description
Input	ParserSchema	Structured log
Output	DetectorSchema	Alert / finding

Description

This detector maintains a lightweight set of observed characters per monitored field and emits an alert when a character not present in the set is seen for the first time (subject to configuration).

Configuration example

detectors:
    CharsetDetector:
        method_type: charset_detector
        auto_config: False
        params: {}
        events:
            1:
                test:
                    params: {}
                    variables:
                        - pos: 0
                          name: var1
                          params:
                              threshold: 0.
                    header_variables:
                        - pos: level
                          params: {}

Example usage

from detectmatelibrary.detectors.charset_detector import CharsetDetector
import detectmatelibrary.schemas as schemas

detector = CharsetDetector(name="CharsetTest", config=cfg)

parsed_data = schemas.ParserSchema({
    "parserType": "test",
    "EventID": 1,
    "template": "test template",
    "variables": ["var1"],
    "logID": "1",
    "parsedLogID": "1",
    "parserID": "test_parser",
    "log": "test log message",
    "logFormatVariables": {"timestamp": "123456"}
})


alert = detector.process(parsed_data)

Go back Index