At the top of the CloudAI Overview page in the Web Console, you can view CloudAI processing statistics, including users, observations, and threat events. You can also access CloudAI Lab, a web-hosted user interface with the latest CloudAI analytics.

CloudAI Lab is only available in SIEM versions 7.4.8 and later. 


CloudAI Lab is subject to frequent changes to provide the latest features and analytics.


CloudAI Lab Features

The following features are available in CloudAI Lab:

  • Asset Relationships
  • CloudAI Labels


Asset Relationships

The asset relationships feature allows CloudAI Lab users to search and view interactions between whitelisted assets. An asset is an entity monitored by CloudAI, such as a host or identity. Users can pivot between hosts and identities to further explore interactions.

To access the asset relationships feature:

  1. On the top navigation bar in the Web Console, click CloudAI.
  2. In the top-right corner of the page, click CloudAI Lab.
  3. In the Explore: Identities and Hosts box, click Try It.

    A search bar with a date range selector displays.

  4. Enter your search term and select your date range. The range defaults to the past 24 hours.

    When you search for and asset, the results appear in a dropdown list. The dropdown list is limited to 20 results, so you may need to refine your search term to find the asset you want. Also, if no interactions occurred within the date range you selected, the asset will not appear in the results.

  5. Click on an asset in the dropdown list to view its interactions.

Asset Views

Identity View

Identity View displays a list of assets that a user (identity) has interacted with during the specified time range. While in Identity View, you can do the following:

  • Change the time range to update the list of the identity's interactions.
  • Page through the list to see all the identity's interactions during the specified time range.
  • Click an asset on the list to view its interactions for the same time range.
Host View

Host View displays a list of assets that a host has interacted with during the specified time range. While in Host View, you can do the following:

  • Change the time range to update the list of the host's interactions.
  • Page through the list to see all the host's interactions during the specified time range.
  • Click an asset on the list to view its interactions for the same time range.


CloudAI Labels 

CloudAI labels provide context about an asset (currently hosts or identities). Labels are not time-based. They describe an asset's attribute to help you understand what the asset is and how it functions within the environment. Labels are derived from statistical and machine learning models operating on observations extracted from the security logs process by the SIEM.

Labels appear on each asset in CloudAI Lab. For example, the asset shown below has two labels: Receives External Authentications and Shared Asset.


CloudAI Labels based on NetMon data

Customers who have NetMon available in their environment are able to view additional labels in CloudAI Lab asset views. The NetMon data augments the CloudAI analysis and provides additional context about application family types associated with asset interactions.

The labels currently derived from NetMon data are:

  • Database server
  • Database client
  • File server
  • File server client

For example, the asset shown below has two labels: Database Server and Receives Internal Authentications.