Categorical Models

Categorical models are used to train on data represented by string values, such as host or user names. These models can be based either on user behavior or on asset activity. In the sections below, each example models specific endpoint process activity, but one is a user-based model while the other is an asset-based model.

User-based Model

This example models the process-create and process-alert endpoint activity of a specific user. The user-based nature of the model is clear from the value for the Scope attribute. For more information about the model attributes, see the table below the example.

EPA-HP {
  ModelTemplate = "Processes for the user"
  Description = "Models processes for this user"
  Category = "End Point Activity"
  IconName = ""
  ScopeType = "USER"
  Scope = """user"""
  Feature = """process_name"""
  FeatureName = "process"
  FeatureType = "process_name"
  TrainIf = """sequenceCount(process_name,'process-created','process-alert')=1"""
  ModelType = "CATEGORICAL"
  AgingWindow = "32"
  CutOff = "10"
  Alpha = "2"
  MaxNumberOfBins = "10000000"
  ConvergenceFilter = "confidence_factor>=0.8"
  HistogramEventTypes = [   "process-created",   "process-alert"  ]
  Disabled = "FALSE"
}

Model Attribute	Description
Category	Helps define the scope of a model. Process-related activity is categorized as endpoint activity, so the `Category` value in this example is `End Point Activity`. For a list of other Exabeam `Category` values, see Model Categories.
Scope	Specifies the field for which the model is collecting data. The `Scope` for this model is a user. In this example, the user is a parsed field in `process-create` or `process-alert` activities.
Feature	The data object for which values are being collected. The `Feature` value is `process_name` because this example models the process activity for a given user. In this example, the process names are parsed fields in `process-create` or `process-alert` activities.
TrainIf	An expression that tells the model what data to train on. For user-based models, this attribute often contains one of the following types of expressions: `Count` `sequenceCount` `DistinctCount` `sequenceDistinctCount` In this example, the following expression ensures that the model trains on all `process_name` values for the specified user during `process-create` or `process-alert` activities. `sequenceCount(process_name,'process-created','process-alert')=1`
ModelType	This model trains on non-numerical data, so the `ModelType` value is `CATEGORICAL`.
HistogramEventTypes	A histogram for this model displays the `process-create` and `process-alert` activity of a user in a specific range of time.

For definitions and examples of other Exabeam model attributes, see Model Attributes.

Asset-based Model

This example models the process-create and process-alert endpoint activity of a specific asset. The A– at the start of the model name indicates that it's an asset-based model. The asset-based nature of the model is also clear from the value for the SequenceTypes attribute. For more information about the model attributes, see the table below the example.

A-EPA-HP {
  ModelTemplate = "Processes on this asset"
  Description = "Models processes on this asset"
  Category = "End Point Activity"
  IconName = ""
  ScopeType = "DEVICE"
  Scope = """dest_host"""
  Feature = """process_name"""
  FeatureName = "process"
  FeatureType = "process_name"
  TrainIf = """CountBy(process_name,dest_host,'process-created','process-alert','process-network')=1"""
  ModelType = "CATEGORICAL"
  AgingWindow = ""
  CutOff = "10"
  Alpha = "3"
  MaxNumberOfBins = "5000000"
  ConvergenceFilter = "confidence_factor>=0.8"
  HistogramEventTypes = [    "process-created",    "process-alert",    "process-network"  ]  
  SequenceTypes = [asset]
  Disabled = "FALSE"
}

Model Attribute	Description
Category	Helps define the scope of a model. Process-related activity is categorized as endpoint activity, so the `Category` value in this example is `End Point Activity`. For a list of other Exabeam `Category` values, see Model Categories.
Scope	Specifies the field for which the model is collecting data. The `Scope` for this model is an asset, specifically a `dest_host` asset. In this example, the destination host is a parsed field indicating where `process-create`, `process-alert`, or `process-network` activities took place.
Feature	The data object for which values are being collected. The `Feature` value is `process_name` because this example models the process activity for a given asset. In this example, the process names are parsed fields in `process-create`, `process-alert`, or `process-network` activities.
TrainIf	An expression that tells the model what data to train on. For asset-based models, this attribute often contains one of the following types of expressions: `CountBy` `CountByIf` `DistinctCountBy` `DistinctCountByIf` In this example, the following expression ensures that the model trains on all `process_name` values for the destination host during `process-create`, `process-alert`, or `process-network` activities. `CountBy(process_name,dest_host,'process-created','process-alert','process-network')=1`
ModelType	This model trains on non-numerical data, so the `ModelType` value is `CATEGORICAL`.
HistogramEventTypes	A histogram for this model displays the `process-create`, `process-alert`, and `process-network` activities for an asset in a specific range of time.
SequenceTypes	This example is an asset-based model, so the value is `asset`.

For definitions and examples of other Exabeam model attributes, see Model Attributes.

Security ContentExabeam Security Content in the Common Information Model

Table of ContentsTable of Contents