Advanced AnalyticsExabeam Advanced Analytics User Guide

Entity Analytics

Entity Analytics offers analytics capabilities for entities beyond users such as hosts and IP addresses within an environment. For our purposes, the words asset and entity are used interchangeably.

Entity Analytics assigns risk scores on any anomalous activities on Assets in an organization's environment by using machine learning and expert rules. In a single Asset Session, Entity Analytics may report risks related to a machine accessing many new hosts, a malware security alert received from a 3rd party system, and an entity connecting to a host in a new country. Notable Assets (assets that had an Asset Session score of at least 90) will appear on the homepage next to Notable Users.

Entity Analytics creates an Asset Session in cases where logs indicate activities on assets. These can be logs such as Windows authentication, VPN or security alerts that contain events related to users and assets. In addition, asset sessions can be built from logs indicating device to device communication that do not have a user name attached to them, such as firewall, DNS, Netflow or IoT logs. An Asset Session is similar to a User Session in that it is a logical container of events logs. However, unlike User Sessions (which begin when a user logs on and ends when a user logs off) an Asset Session represents a 24-hour window of all activities performed on an asset. Some logs have both asset and user fields and Advanced Analytics creates both a session event and an asset session event out of these.

For example, when a machine is a source of attack and uses multiple identities (user names) in a short amount of time to perform brute force attacks or move laterally within an environment. This type of risk is not elevated by Advanced Analytics as these activities belong to multiple user sessions and a single user did not accumulate enough risk to be identified as anomalous. With Entity Analytics enabled, the entity itself will now have a risk score associated with it. The Asset Session Timeline page displays all the events in chronological order during the session, so the analyst can see all events before and after a security, anomalous, or lockout event. Seeing the whole timeline helps the analyst see, for example, whether a hacker started the sequence from outside the network or a legitimate user started the sequence on-site.

Entity Analytics is available as a licensable option and can be added to an existing Advanced Analytics deployment. Please talk to your Technical Account Manager for more information.