In the Web Console at the top of the CloudAI Overview page, you can view CloudAI processing statistics, including users, observations, and threat events. You can also access CloudAI Lab, a fully web-hosted set of CloudAI features.

In the upper-left corner, click CloudAI Lab to access the main page of CloudAI Lab, where you can access the features available.


CloudAI Lab is only available in SIEM versions 7.4.8 and later. 


CloudAI Lab is subject to frequent changes to provide the latest features and analytics.


CloudAI Lab Features

The following features are available in CloudAI Lab:

  • Explore: Identities and Hosts Interactions
  • Explore: Anomaly Heatmap of Identities

CloudAI Labels, when available, will be present in both features.

Identities and Hosts Interactions

The asset relationships feature allows CloudAI Lab users to search and view interactions between whitelisted assets. An asset is an entity monitored by CloudAI, such as a host or identity. Users can pivot between hosts and identities to further explore interactions.

Identity View

Identity View displays a list of assets that a user (identity) has interacted with during the specified time range. While in Identity View, you can do the following:

  • Change the time range to update the list of the identity's interactions.
  • Page through the list to see all the identity's interactions during the specified time range.
  • Click an asset on the list to view its interactions for the same time range.
Host View

Host View displays a list of assets that a host has interacted with during the specified time range. While in Host View, you can do the following:

  • Change the time range to update the list of the host's interactions.
  • Page through the list to see all the host's interactions during the specified time range.
  • Click an asset on the list to view its interactions for the same time range.

To access the Identities and Hosts Interactions feature:

  1. On the top navigation bar in the Web Console, click CloudAI.
  2. In the top-right corner of the page, click CloudAI Lab.
    The CloudAI Lab main page appears.
  3. In the Explore: Identities and Hosts box, click Try It.
    The Search for Assets view appears, showing a search bar and a date range selector at the top.

  4. To set the date range, enter dates in the From and To boxes in the upper-left corner. The date range defaults to the past 24 hours. 

  5. To search for assets, start typing your search term In the search bar. CloudAI Lab auto-populates a list of asset interactions that occurred within the designated date range.

    When you search for an asset, the results appear in a drop-down list. The drop-down list is limited to 20 results, so you may need to refine your search term to find the asset you want. Also, if no interactions occurred within the date range you selected, the asset will not appear in the results.

  6. Click on an asset in the drop-down list to view its interactions. Identities and Host labels appear when available. 
  7. To view interactions for another date range, enter new dates in the From and To boxes in the upper-left corner. 

Anomaly Heatmap of Identities

The Anomaly Heatmap of Identities is a grid that shows anomalous behavior for a specified identity over a 24-hour period. The following three types of anomalous behavior are displayed in the grid:

  • Unusual number of new impacted hosts
  • Unusual number of new origin hosts
  • Unusual number of new locations

Each row of the grid divides the instances of one anomaly type into 1-hour blocks from the past 24 hours. A yellow block indicates the anomaly type occurred during that 1-hour timeframe. The brighter the yellow block, the higher the anomaly score for that hour. You can click a yellow block to view details for the anomaly type during that 1-hour block. The details appear below the heatmap grid.

To access the Anomaly Heatmap of Identities feature:

  1. On the top navigation bar in the Web Console, click CloudAI.
  2. In the top-right corner of the page, click CloudAI Lab.
  3. In the Explore: Anomaly Heatmap of Identities box, click Try It.
    A search bar appears.

  4. To search for identities, start typing your search term In the search bar. CloudAI Lab auto-populates a list of identities.

    When you search for an identity, the results appear in a drop-down list. The drop-down list is limited to 20 results, so you may need to refine your search term to find the identity you want.

  5. Click on an identity in the drop-down list to view its anomaly heatmap.
    The anomaly heatmap appears. A yellow block on the grid indicates anomalous behavior occurred for the corresponding anomaly type within the corresponding 1-hour time block. The brightness of the yellow block indicates the anomaly score. The brighter the yellow block, the higher the anomaly score.

  6. To view the details of anomalous behavior, click a yellow block.

    For example, the following heatmap shows an unusual number of new origin hosts occurred during the 1-hour blocks of 2pm, 6pm, 9pm, and 8am. It also shows an unusual number of new locations occurred during the 2pm and 6pm time blocks.

    The blue border around the 6pm time block in the new locations row indicates is has been selected, and the details about new locations for that time block are displayed below the heatmap grid. 

    The following example shows the 8am time block in the new origin hosts row has been selected, and the details are displayed below the heatmap grid.

  7. To view more information about the origin host displayed below the heatmap, click the blue link shown in the Origin Host column. 

    If no information is available for the origin host, the value in the Origin Host column will not be blue.

    When you click on a linked origin host, the Search for Assets view appears. For more information, see the Identities and Hosts Interactions.

The heatmap is not designed to be used as a search engine for anomalies. Its intended use is to add more context once you discover an identity with one of the anomaly types in the last 24 hours. To determine identities of interest, use dashboards, searches, or identities timelines first.


CloudAI Labels 

CloudAI labels provide context about an asset (currently hosts or identities). They describe an asset's attribute to help you understand what the asset is and how it functions within the environment. Labels are derived from statistical and machine learning models operating on observations extracted from the security logs analyzed by CloudAI over the previous 30 days. Although they are not explicitly time-based, labels persist on assets that generated relevant data within the last 30 days.

Labels appear on each asset in the CloudAI Lab features. For example, the following asset has two labels: Receives External Authentications and Shared Asset.



The Labels that leverage all data are:

LabelDescription
Dormant AccountAsset showed no activity for at least one day in the past 30 days.
Originates Internal AuthenticationsAsset is OriginHost in Internal Authentications.
Local AuthenticationsAsset is OriginHost and/or ImpactedHost in Local Authentications.
Receives Internal AuthenticationsAsset is ImpactedHost in Internal Authentications.
Originates External AuthenticationsAsset is OriginHost in External Authentications.
Receives External AuthenticationsAsset is ImpactedHost in External Authentications.
Interactive LogonsAsset has interactively logged on.
Service LogonsAsset logged on as a service.
Privileged ActivityAsset has logs related to account management activity.
Shared AssetAsset is accessed by multiple users.


CloudAI Labels based on NetMon data

Customers who have NetMon available in their environment are able to view additional labels in CloudAI Lab asset views. The NetMon data augments the CloudAI analysis and provides additional context about application family types associated with asset interactions.

The Labels that leverage NetMon data are:

  • Database server
  • Database client
  • File server
  • File server client

For example, the following asset has two labels: Database Server and Receives Internal Authentications.