- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Exabeam Models
Advanced Analytics performs anomaly detection using models. Without models, rules can only score on fact-based logic, such as finding a specific value in the logs or counting the occurrences of specific values over an entire session.
Models can track historical values (call these features) for a given item (call this the scope). For example, tracking the hosts (feature values) that a user (the scope) has logged into. If the current value is deemed to be abnormal, in comparison to the historical values in the model, a rule can associate a score with this anomaly. Anomaly detection is performed by calculating a number of statistics about the features in a given model to check whether or not the feature values, seen during event evaluation, are unusual.
Statistical profiling in Advanced Analytics is not only about user-level data. In fact, Exabeam profiles other entities, including hosts and peer groups. RAM and performance permitting, just about anything can be modeled. If a field has been parsed, then the parsed and enriched field can be used as either the scope or the feature in a model.
Factors to consider when determining the scope and features of a model include:
How large a model might grow
What future values might populate the model and how might they affect anomaly detection
For information about the different types of models available, see Types of Models. For information about the attributes contained in models, see the table in Model Attributes.