- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Numerical Clustered Models
This type of model is used to determine when the numerical value associated with an event is considered anomalous. The algorithm fits a gamma distribution over the observed numerical data to estimate where the majority of data points lie. This area represents what's considered normal. The algorithm then calculates how far a new data point is from the boundary of the normal area. The further a point is from the boundary, the riskier the new event is.
As shown in the image below, the algorithm fits the historical points into gamma distribution, O(n), and then calculates the normal area boundary, b, using O(1). The resulting abnormal area is identified as a in the graph example.
Numerical clustered models can be based either on user behavior or on asset activity. In the sections below, each example models models the amount of data, per day, uploaded to the web, but one is a user-based (UBA) model while the other is an asset-based (EA) model.
User-based Model
This example models the amount of data per day (in bytes) that a specific user uploads to the web. The user-based nature of the model is clear from the value for the Scope attribute. For more information about the model attributes, see the table below the example.
WEB-UBytesSum-Out {
ModelTemplate = "Sum of bytes written/uploaded to the web in a day by the user"
Description = "Models the amount of data (in bytes) that were uploaded to the web in a day by the user"
Category = "Web Activity"
IconName = ""
ScopeType = "USER"
Scope = "user"
Feature = "sequenceSum(bytes_in_post,'web-activity-allowed')"
FeatureName = "bytes"
FeatureType = "quantity"
TrainIf = """sequenceSum(bytes_in_post,'web-activity-allowed')>0"""
ModelType = "NUMERICAL_CLUSTERED"
BinWidth = "5"
AgingWindow = ""
CutOff = "10"
Alpha = "1"
ConvergenceFilter = "confidence_factor>=0.8"
HistogramEventTypes = [ "sequence-end" ]
Disabled = "FALSE"
}Model Attribute | Description |
|---|---|
Category | Helps define the scope of a model. This model tracks the amount of data a user uploads to the web, so the For a list of other Exabeam |
Scope | Specifies the field for which the model is collecting data. The |
Feature | The data object for which values are being collected. This example models the web activity of a given user. The |
TrainIf | An expression that tells the model what data to train on. For user-based models, this attribute often contains one of the following types of expressions:
In this example, the following expression ensures that the model trains when the sum of bytes uploaded to the web by a user is greater than 0 for
|
ModelType | This example models a quantity of data, so the |
HistogramEventTypes | A histogram for this model displays the amount of data per day (in bytes) uploaded to the web by a user in a specific range of time. The |
For definitions and examples of other Exabeam model attributes, see Model Attributes.
Asset-based Model
This example models the amount of data per day (in bytes) that a specific asset uploads to the web. The A– at the start of the model name indicates that it's an asset-based model. The asset-based nature of the model is also clear from the value for the SequenceTypes attribute. For more information about the model attributes, see the table below the example.
A-WEB-BytesSum-Out {
ModelTemplate = "Sum of bytes written/uploaded to the web in a day by the asset"
Description = "Models the amount of data (in bytes) that were uploaded to the web in a day by the asset"
Category = "Web Activity"
IconName = ""
ScopeType = "DEVICE"
Scope = "src_host"
Feature = "sumBy(bytes_in_post,src_host,'web-activity-allowed')"
FeatureName = "bytes"
FeatureType = "quantity"
TrainIf = """sumBy(bytes_in_post,'web-activity-allowed')>0"""
ModelType = "NUMERICAL_CLUSTERED"
BinWidth = "5"
AgingWindow = ""
CutOff = "10"
Alpha = "1"
ConvergenceFilter = "confidence_factor>=0.8"
HistogramEventTypes = [ "sequence-end" ]
SequenceTypes = [asset]
Disabled = "FALSE"
}Model Attribute | Description |
|---|---|
Category | Helps define the scope of a model. This model tracks the amount of data an asset uploads to the web, so the For a list of other Exabeam |
Scope | Specifies the field for which the model is collecting data. The |
Feature | The data object for which values are being collected. This example models the web activity of a given asset. The |
TrainIf | An expression that tells the model what data to train on. For asset-based models, this attribute often contains one of the following types of expressions:
In this example, the following expression ensures that the model trains when the sum of bytes uploaded to the web by an asset is greater than 0 for
|
ModelType | This example models a quantity of data, so the |
HistogramEventTypes | A histogram for this model displays the amount of data per day (in bytes) uploaded to the web by an asset in a specific range of time. The |
Sequence Types | This example is an asset-based model, so the value is |
For definitions and examples of other Exabeam model attributes, see Model Attributes.