Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Categorical Models

Categorical models are used to train on data represented by string values, such as host or user names. These models can be based either on user behavior or on asset activity. In the sections below, each example models specific endpoint process activity, but one is a user-based model while the other is an asset-based model.

User-based Model

This example models the process-create and process-alert endpoint activity of a specific user. The user-based nature of the model is clear from the value for the Scope attribute. For more information about the model attributes, see the table below the example.

EPA-HP {
  ModelTemplate = "Processes for the user"
  Description = "Models processes for this user"
  Category = "End Point Activity"
  IconName = ""
  ScopeType = "USER"
  Scope = """user"""
  Feature = """process_name"""
  FeatureName = "process"
  FeatureType = "process_name"
  TrainIf = """sequenceCount(process_name,'process-created','process-alert')=1"""
  ModelType = "CATEGORICAL"
  AgingWindow = "32"
  CutOff = "10"
  Alpha = "2"
  MaxNumberOfBins = "10000000"
  ConvergenceFilter = "confidence_factor>=0.8"
  HistogramEventTypes = [   "process-created",   "process-alert"  ]
  Disabled = "FALSE"
}

Model Attribute

Description

Category

Helps define the scope of a model. Process-related activity is categorized as endpoint activity, so the Category value in this example is End Point Activity.

For a list of other Exabeam Category values, see Model Categories.

Scope

Specifies the field for which the model is collecting data. The Scope for this model is a user. In this example, the user is a parsed field in process-create or process-alert activities.

Feature

The data object for which values are being collected. The Feature value is process_name because this example models the process activity for a given user. In this example, the process names are parsed fields in process-create or process-alert activities.

TrainIf

An expression that tells the model what data to train on. For user-based models, this attribute often contains one of the following types of expressions:

  • Count

  • sequenceCount

  • DistinctCount

  • sequenceDistinctCount

In this example, the following expression ensures that the model trains on all process_name values for the specified user during process-create or process-alert activities.

sequenceCount(process_name,'process-created','process-alert')=1

ModelType

This model trains on non-numerical data, so the ModelType value is CATEGORICAL.

HistogramEventTypes

A histogram for this model displays the process-create and process-alert activity of a user in a specific range of time.

For definitions and examples of other Exabeam model attributes, see Model Attributes.

Asset-based Model

This example models the process-create and process-alert endpoint activity of a specific asset. The A– at the start of the model name indicates that it's an asset-based model. The asset-based nature of the model is also clear from the value for the SequenceTypes attribute. For more information about the model attributes, see the table below the example.

A-EPA-HP {
  ModelTemplate = "Processes on this asset"
  Description = "Models processes on this asset"
  Category = "End Point Activity"
  IconName = ""
  ScopeType = "DEVICE"
  Scope = """dest_host"""
  Feature = """process_name"""
  FeatureName = "process"
  FeatureType = "process_name"
  TrainIf = """CountBy(process_name,dest_host,'process-created','process-alert','process-network')=1"""
  ModelType = "CATEGORICAL"
  AgingWindow = ""
  CutOff = "10"
  Alpha = "3"
  MaxNumberOfBins = "5000000"
  ConvergenceFilter = "confidence_factor>=0.8"
  HistogramEventTypes = [    "process-created",    "process-alert",    "process-network"  ]  
  SequenceTypes = [asset]
  Disabled = "FALSE"
}

Model Attribute

Description

Category

Helps define the scope of a model. Process-related activity is categorized as endpoint activity, so the Category value in this example is End Point Activity.

For a list of other Exabeam Category values, see Model Categories.

Scope

Specifies the field for which the model is collecting data. The Scope for this model is an asset, specifically a dest_host asset. In this example, the destination host is a parsed field indicating where process-create, process-alert, or process-network activities took place.

Feature

The data object for which values are being collected. The Feature value is process_name because this example models the process activity for a given asset. In this example, the process names are parsed fields in process-create, process-alert, or process-network activities.

TrainIf

An expression that tells the model what data to train on. For asset-based models, this attribute often contains one of the following types of expressions:

  • CountBy

  • CountByIf

  • DistinctCountBy

  • DistinctCountByIf

In this example, the following expression ensures that the model trains on all process_name values for the destination host during process-create, process-alert, or process-network activities.

CountBy(process_name,dest_host,'process-created','process-alert','process-network')=1

ModelType

This model trains on non-numerical data, so the ModelType value is CATEGORICAL.

HistogramEventTypes

A histogram for this model displays the process-create, process-alert, and process-network activities for an asset in a specific range of time.

SequenceTypes

This example is an asset-based model, so the value is asset.

For definitions and examples of other Exabeam model attributes, see Model Attributes.