Skip to main content

Threat Detection ManagementThreat Detection Management Guide

Analytics Rule Types

Threat Center raises analytics alerts using rules that target anomalous behavior and threats. Analytics rules are defined by Exabeam security researchers and are tuned using exclusion rules.

The following table below defines and categorizes different rule types used by the analytics engine to detect and assess potential risks or anomalies. Each rule type has a specific function, ranging from direct evaluations of event data to profiling historical activity to identify unusual patterns. The descriptions provide insight into how each rule operates, while examples illustrate practical applications for better understanding and context.

Rule Type

Description

Examples

Factfeature

Factfeature rules are straightforward analytics rules that can be evaluated solely based on the data in an event and the associated context tables. They directly indicate potential risks or anomalies, generating risk when triggered by certain conditions.

  • Encryption type is suspiciously weak

  • Source IP is blacklisted

  • User logged in from a known TOR IP

numericSumFactFeature

NumericSumFactFeature rules evaluate and sum up specific numerical values from events within a defined time frame or context. They are used to detect anomalies or unusual accumulations of numeric values in a specific field.

  • Sum of bytes transferred exceeds a threshold

  • Total login attempts from a source IP in a day

numericCountFactFeature

NumericCountFactFeature rules count the occurrences of specific events or values. They help track the number of times certain conditions have been met within a given scope or time period.

  • Number of failed login attempts in the past hour

  • Number of files accessed by a user in one session

numericDistinctCountFactFeature

NumericDistinctCountFactFeature rules count the number of distinct occurrences of specific values in the event data, such as unique IP addresses or file accesses.

  • Number of distinct IP addresses accessed by a user

  • Number of unique files accessed by a device

numericAverageFactFeature

NumericAverageFactFeature rules calculate the average value of a specific numeric field over a given period or context to identify trends, anomalies, or changes in behavior.

  • Average file size uploaded by a user over a week

  • Average number of requests per session for a service

Contextfeature

A contextfeature rule is similar to a factfeature rule in that it uses the data from the current event. However, unlike factfeature rules, contextfeature rules do not directly generate risk. Instead, they provide additional details that help refine the risk analysis. When paired with a fact feature or a profiled feature that identifies a risk, the context feature adds valuable information, allowing the analytics engine to better discriminate between events during anomaly detection.

  • User class

  • User is privileged

  • Event type

  • Email destination address is disposable or public

  • Security vendor name

ProfiledFeature

A profiledfeature rule identifies anomalous behavior by establishing a baseline of typical activity as the analytics engine continuously processes events. For instance, profiledfeature alerts like anomalous source host for user or anomalous VPN access for peer group follow the format: first or anomalous (value) for (scope). The analytics engine automatically builds a profile for each defined feature, tracking values and when they were last observed within the specified scope.

  • Unusual VPN access from <user> to <destination host>

  • First or anomalous account management <event type> for <source zone>

  • Unusual admin share access for asset

NumericCountProfiledFeature

NumericCountProfiledFeature rules establish a baseline for counting specific events over time and then detect deviations from this established norm.

  • Count of login events for a user profile compared to historical data

  • Anomalous number of file transfers by a user

NumericDistinctCountProfiledFeature

NumericDistinctCountProfiledFeature rules profile and track distinct values for specific features, alerting when unusual activity is detected based on historical baselines.

  • Number of distinct devices accessing a service by a single user

  • Unusual count of unique IP addresses accessed by an asset

NumericSumProfiledFeature

NumericSumProfiledFeature rules track cumulative sums of numeric values for specific activities, creating a baseline and identifying significant deviations from expected sums.

  • Total data usage for a specific asset compared to normal

  • Sum of login durations for a user in a day compared to typical values

NumericAverageProfiledFeature

NumericAverageProfiledFeature rules calculate the average of specific numeric values over time and compare current averages to expected profiles to detect anomalies.

  • Average number of transactions per session for a user

  • Average daily bandwidth usage for a network segment