Exabeam Models
Exabeam Advanced Analytics performs anomaly detection using models. Without models, rules can only score on 'fact' based logic, the kind that looks for specific things in the logs or counting for specific values over an entire session. Models also track historical values (features) for a given item (scope). For example, tracking hosts (feature values) a user (scope) has logged into. If the current value is deemed to be abnormal, versus the historical values in the model, a rule can associate a score with this anomaly. Anomaly detection is performed by calculating a number of statistics about the features in a given model to check whether the feature value seen, in an event being evaluated, is unusual or not.
Advanced Analytics statistical profiling is not only about user-level data. In fact, Exabeam profiles other entities, including hosts and peer groups. RAM and performance permitting, just about anything can be modeled. If it is parsed, then the parsed/enriched field can be used as either the scope or the feature in a model. Ensuring how large a model might grow as well as understanding what values in the future may populate the model and how it will affect anomaly detection are factors to consider when deciding what to make a scope or feature for a model.
For information about the different type of models available, see Types of Models. For information about the attributes contained in models, see the table in Model Attributes.