Cloud-delivered Advanced AnalyticsExabeam Advanced Analytics User Guide

The table histogram view is used to present categorical histograms. Categorical histograms contain lists of non-numerical data, for example, a list of assets or a list of network zones. The example for a table histogram is the Asset-workstations histogram:

This histogram lists all the workstations that User Barbara has logged into.

The top row shows the confidence level Exabeam has for this data (the confidence determines whether Exabeam uses this histogram for anomaly detection; under 80% is not used). The top row also shows a value—one workstation in this case—that Barbara logged into. This number is the total number of unique assets in the histogram. (In other histograms, the total is for the subject of that histogram.) The Entries value in this example means the total number of times that this user has accessed the asset (77 times). Last Update shows when the histogram was last updated.

The filter box in the next row is for narrowing the scope of the histogram’s display. As representations of all of a user’s activities, histograms potentially can have hundreds of entries.

The lower part of the histogram gives details. It identifies each asset by name, the number of times each workstation was accessed, and the percent of the total accesses that each workstation represents.

This time of week example shows the number of different start times (25) and the total number session start times (52) during the week. The confidence is low, indicating there is not enough information.

The cluster histogram represents a group of events by a bar, where group is a range of values for an activity. In the example of the start-time histogram in this image, the groups are ranges of hours in which the user starts a session (in another cluster histogram, a group could be the typical set of assets rather than start times). The confidence is high for this histogram, so Exabeam can use it for anomaly detection.

The height of the bars reflects the numbers for session starts in that cluster’s range.

The Values number of 2 means that this user has two different ranges of time that he or she has started all sessions. Visually, the range of each cluster is represented by the width of the bar. The numerical value for the range is represented in the graph but enumerated below the graph.

One range for start times in this example is 5 am – 8 am, and there is a single instance of starting at 1500 hours (3 pm). For 99% of the sessions, the user has started the sessions in the morning hours. The single instance of a 3 pm start is the very small bar at the far right on the horizontal axis.

The map histogram is a map of the world. In this image, the user has logged onto a VPN from one country, so the Values column shows a 1. The Entries column has 27 to show the number of times this user has logged onto a VPN.

The More Insights button at the bottom of the Session Data Insights panel gives access to the complete Data Insights page of the user. When an analyst clicks More Insights, the default display is the Assets category. This image shows the collapsed categories selection rather the default of Assets:

The plus or minus sign near the right edge of the Insight choice is for opening or closing the display for that category of histograms.

The histograms in Data Insights fall into the following main categories: