id: outlier_hostname
version: 1
meta:
  name: Outlier hostname
  description: >
    A hostname that appeared in 10% or less of the
    total hostnames found. Outliers can often reveal
    entities that are rare and therefore interesting.
  risk: INFO
collections:
  - collect:
      - method: exact
        field: type
        value: INTERNET_NAME
aggregation:
  field: data
analysis:
  - method: outlier
    maximum_percent: 10
headline: "Outlier hostname found: {data}"