Anomaly Event Timeline
The timeline provides hour-by-hour information about the anomalies observed for the selected user. An Anomaly Score (1-100) displays on each Event Card in the Threat Event Timeline.
You have the following options:
- To view the event timeline for a specific day, select a day from the Scored Date list at the top of the Event Card. By default, the Latest Scored Date is selected and shows the results form the previous processing run. Select a different Scored Date to see the results of a 24-hour processing run.
- To see more information about a specific event, point to the title of the Event Card (for example, Unusual Login Activity).
- To search a particular event for the user, click the Search icon next on the Event Card. A search task displays in the taskbar indicating that the search is in progress. To view more information about the search, point to the search task.
User Anomaly Score
An Anomaly Score (1-100) displays on each Event Card in the Threat Event Timeline. The Event Card shows the total number of Threat Events that contribute to the Anomaly Score and lists each event below the Event Card.
The Anomaly Score represented is composed of 24 hours of aggregated User Event Scores from each hour. Any single hour is not weighted above another. The Anomaly Score is based on how anomalous each of the last 24 hours are compared to the baseline activity. That is, anomalous activity today is considered part of your baseline activity tomorrow, and will change your score insofar that it is now part of your baseline. However, most of the baseline days do not have anomalous activity, so the baseline will not change significantly. For more detailed information on User Anomaly Scores, see Understand User Anomaly Scores.
Behavior Models
The following Behavior Models contribute to a User's Anomaly Score and Event Scores.
| Behavior Model | Description |
|---|---|
| Authentication Classification | Derived from the number and type of authentication events across all impacted hosts. Behavior Model Anomaly Score is a composite of several different recognized authentication-related events, including recognition of new and unique Common Events, changes in Common Events over a given time, the number of successful and failed authentications on all impacted hosts, and the percentage of failed authentications on all impacted hosts. |
| Impacted Host | Derived from data pertaining to impacted hosts during the Scored Period. Behavior Model Anomaly Score is a composite of several different recognized events occurring on impacted hosts, including authentication attempts to unfamiliar hosts, the number of connections and standard deviation of the number of connections, the total number of impacted hosts to which the user tried to connect or authenticate, and the maximum number of connections to impacted hosts. |
| Login Time | Derived from authentication behavior observed in each hour of the day during the Scored Period. The model anomaly score is a composite of authentication activity at the specific hour. |
| Origin Host | Derived from the data pertaining to origin hosts during the Scored Period. Behavior Model Anomaly Score is a composite of several different recognized events occurring from origin hosts, including the total number of distinct origin hosts not previously observed in the Baseline Period from which the user tried to authenticate, the total number of distinct origin hosts from which the user tried to authenticate, the total and average number of connections from all origin hosts, and the maximum number of authentication attempts from single origin hosts. |
| Origin Location | Derived from data pertaining to geographic origin. Behavior Model Anomaly Score is a composite of several different recognized events relating to the geographic location of origin hosts, including the average distance and standard deviation distance (in miles) between observed origin locations, the number of geographic locations and unique geographic origin locations not previously observed in the Baseline Period to which the user attempted to authenticate, and the maximum and total distance (in miles) between observed geographic locations. |
| Peer Group | Indicates a deviation in a user's activity when compared to the activity of their peer group. This includes unusual authentication classification, unusual origin location, no peer activity, unusual origin host activity, unusual impacted host activity, and unusual login time activity. |
Behavior Features
For each Behavior Model there are Behavior Features that contribute to a user's Anomaly Score. Point to the feature title in the Threat Event Timeline for a detailed description of the observed Behavior Feature. The associated score indicates how much the event differed from the expected behavior.
Event Scores
CloudAI evaluates features as part of its behavior models. Each behavior model has multiple features that are evaluated on a per hour basis for each user. This calculation is represented by Event Scores. The Event Score Cards only display Event Scores exceeding a dynamic threshold. This is intended to be dynamic and improve over time. The expected value on the event card includes a deviation in these models, and a higher Event Score indicates an event that was more unlikely, based on the models, for the event to take place.
Event Scores and User Anomaly Scores are calculated four times daily (00:00, 06:00, 12:00, and 18:00 UTC). The User Anomaly Score is calculated as a single score for the 24-hour period, while Event Scores are calculated for each hour. The Event Scores and User Anomaly Score are written to the anomaly.log file on the SIEM.
Within an hour, all events that fall under the same Behavior Model must receive the same score. Event Scores from different Behavior Models are independent from one another and likely differ from each other even for the same expected and observed counts.