Security ContentExabeam Security Content in the Common Information Model

Advanced Analytics performs anomaly detection using models. Without models, rules can only score on fact-based logic, such as finding a specific value in the logs or counting the occurrences of specific values over an entire session.

Models can track historical values (call these features) for a given item (call this the scope). For example, tracking the hosts (feature values) that a user (the scope) has logged into. If the current value is deemed to be abnormal, in comparison to the historical values in the model, a rule can associate a score with this anomaly. Anomaly detection is performed by calculating a number of statistics about the features in a given model to check whether or not the feature values, seen during event evaluation, are unusual.

Statistical profiling in Advanced Analytics is not only about user-level data. In fact, Exabeam profiles other entities, including hosts and peer groups. RAM and performance permitting, just about anything can be modeled. If a field has been parsed, then the parsed and enriched field can be used as either the scope or the feature in a model.

Factors to consider when determining the scope and features of a model include:

For information about the different types of models available, see Types of Models. For information about the attributes contained in models, see the table in Model Attributes.