Clusters
Related logs and observations that share a common metadata value are referred to as clusters. Clustering logs and observations makes it faster to view potentially related activity and address security events. Search results which are a peer in at least one cluster display the following icon in the far-left column:
Clicking any cell in a cluster row opens the Inspector panel on the right. The following fields are unique to the Observation Cluster Inspector:
| Field | Description |
|---|---|
| Cluster (1 of x) | If more than one cluster has been created for the selected row, click the arrow to cycle through additional clusters. |
| Common Field | Displays the name of the metadata field in common across the cluster. |
| Clustered Logs | Displays the number of logs that share a common event with the selected observation. Clicking on the x Items link opens the Clustered Logs panel, which shows the clustered logs in more detail. Clicking Open in Search in the Clustered Logs panel shows the entire cluster in a separate search. |
| First | The date and time the first peer was triggered. |
| Last | The date and time the most recent peer was triggered. |
Cluster Formation
Both collected logs and observations generated by Axon Analytics can be part of a cluster. Logs and observations can be a part of multiple clusters. In order to be eligible to join a cluster, the log or observation must have at least one of the following Common Events:
Improbable Travel
Threat Detected
Scheduled Task Created
Process Started
Access Denied
Role Modified
Role Assigned
In order to form a cluster, logs and observations must share a metadata value in one of the following fields:
- Target Host IP
- Origin Host Name
- Target Account Name