The CloudAI Overview Page includes processing statistics, the user distribution graph, the Top Anomalous Users widget, and the Top Anomalous Events widget. The processing statistics are always shown at the top of the page.

To add a widget to the page, click the Add Widget icon on the top navigation bar, point to the widget in the list, and then click and drag the widget to a location on the dashboard. For more information on creating and customizing dashboards, see the Dashboards topic in the Web Console User Guide. 

To move and resize the user distribution graph, the Top Anomalous Users widget, and the Top Anomalous Events widget:

  • To move the widget to a different location on the page, point to the widget until you see the move cursor, and then click and drag the widget to a new location.
  • To change the size of the widget, point to the lower-right corner of the widget until you see the resize cursor, and then click and drag to resize the widget.

Processing Statistics

The top of the CloudAI Overview page shows CloudAI processing statistics. The Data Stream field shows the data processing rate. The Users, Observations, and Threat Events fields are anomaly detection results that show the number of users analyzed in the current Scored Period, and the resulting number of unique observations and threat events.

Additionally, the processing statistics contain CloudAI Lab. For more information, see CloudAI Lab

CloudAI Lab is subject to frequent changes to provide the latest features and analytics. For more information on the latest updates to CloudAI Lab, see the CloudAI Lab page on the LogRhythm Community.

User Distribution Graph

A tally of the User Anomaly Scores for all network users over the Scored Period, divided into quartiles. You have the following options:

  • To highlight a representation of users in one quartile of the graph and gray out the others, point to a quartile at the top of the graph.
  • To show the number of users with that Anomaly Score during the Scored Period, point to any bar on the graph.
  • To copy the widget to another dashboard, or delete the widget, point to the widget and click the Settings icon.
  • To show users within a specific Anomaly Score range, click and drag over a range on the graph. The graph opens on the CloudAI Analyze page with a table of users within the selected range. You have the following options:
    • To view the Threat Event Timeline for a particular user, click the event card for the user in the list.
    • To run an investigation on a specific user, click the Search icon next to the user in the list.
    • To add a user to a list, click the Lists icon. Select Ignore for 24 hours to add the user to the ignore list. This list is used to hide users with high anomaly scores that are expected (for example, when a new account is created). To add to any other list, select the list from the drop down.
    • To add a user to a case or create a new case with the user, click the Cases icon and select an option.

Top Anomalous Users Widget

The users with the highest User Anomaly Scores in the Scored Period are listed in order from highest to lowest from the top of the vertical axis down.

You have the following options:

  • To view the Threat Event Timeline for a particular user, click the event card for the user in the list.
  • To search for a user in the list, type a user name in the Search usernames box. 
  • To run an investigation on a specific user, click the Search icon next to the user in the list.
  • To add a user to a list, click the Lists icon. Select Ignore for 24 hours to add the user to the ignore list. This list is used to hide users with high anomaly scores that are expected (for example, when a new account is created). To add to any other list, select the list from the menu.
  • To add a user to a case or create a new case with the user, click the Cases icon and select an option.
  • To see the filters applied to the widget, point to the filter icon at the top of the widget.

For more information, see the Configure the Top Anomalous Users Widget topic in the LogRhythm UEBA and CloudAI Guide. 

Top Anomalous Events Widget

The events with the highest anomalous scores in the Scored Period are listed in order from highest to lowest from the top of the vertical axis down. The widget displays the event score, time of the event, name of the event, and user associated with the event. 

You have the following options:

  • To view the Threat Event Timeline for a particular user, click the event card for the user in the list.
  • To run an investigation on a specific user, click the Search icon next to the user in the list. The search is based on the behavior and hour in the event for the specific user.
  • To add a user to a list, click the Lists icon. Select Ignore for 24 hours to add the user to the ignore list. This list is used to hide users with high anomaly scores that are expected (for example, when a new account is created). To add to any other list, select the list from the menu.
  • To filter the events in the list, type an event type in the Filter Events box at the top of the list. Alternatively, click the event type icon on the event card. 
  • To view events for users in a particular list, select a list from the Select an identity list menu. 
  • To see the filters applied to the widget, point to the filter icon at the top of the widget.
  • To view more events, scroll or use the scroll bar within the widget. 

For more information, see the Configure the Top Anomalous Events Widget topic in the LogRhythm UEBA and CloudAI Guide.