Creating a Behavior profile

  • Updated
In this article:

    This reference article details the specifics in creating a behavior profile. Creating a behavior profile involves three stages:

    1. Defining the model attributes – UDM fields – the model will train on

    2. Selecting the model type and

    3. Defining the data aggregation type and alerting condition

    Defining the Model Attributes

    1. From the Signal detection menu under configurations, select create new->behavior profile. This opens up the profile creation wizard.

    Screenshot_2023-03-22_at_3.21.23_PM.png

    2. In the profile creation wizard

      1. Provide a model name and description

      2. Follow it with selecting +Add fields under Dimensions. This will list all the UDM fields, including the custom fields you’ve created in the UDM to handle custom logs.

    Screenshot_2023-03-22_at_1.10.56_PM.png

    3. In the field selector, search for the UDM field or traverse through the UDM structure on the left to find the field and add it to your model as a data source to train.

    Screenshot_2023-03-22_at_3.14.34_PM.png

    Data sources

    The data sources behavior model can train is not limited to specific fields. A model can be created on any of the default or custom fields that has been created in UDM.

    Cardinality and model efficacy

    While creating a behavior profile, it is important to keep track of cardinality – the unique combination of rows for the selected UDM fields.

    A behavior model with high number of UDM fields will result in high cardinality. This will affect a model’s performance and efficacy – true positivity.

    Though there are no limit on the number of UDM fields a can train on, the best practice is to limit the number of UDM fields to less than 5.

    Filters enable you to define what set of data the model should train on. For example, if you want data for the selected attributes to be for a specific geo location, you can specify the location UDM filed and its value as a condition in filter.

    Selecting the model type

    Resolution Intelligence Cloud currently supports four behavior models. Select the behavior model apt to your use case. The example shown in the screen shows Deviation in volume as the model.

    Defining the data aggregation and alerting condition

    1. To profile a behavior, Resolution Intelligence Cloud aggregates past 30 days of data either Daily, Weekly, Hour of the day, or Day of the week.

      1. Daily looks at the past 30 days of data to baseline a daily behavior

      2. Weekly aggregates a week's activity for the last four weeks to profile what is a normal weekly behavior

      3. Day of the week profiles behavior for each day of the week – Monday, Tuesday, and so on – and compares a day’s behavior against the behavior of the same day of the week in the past

      4. Hour of the day aggregates activity hourly to profile behavior for every hour -- 9 to 10, 10 to 11, and so on

    Screenshot_2023-03-22_at_4.16.36_PM.png

    2. To define alerting conditions on the model, specify the degree of deviation from the baseline that you consider to be anomalous. For example, a value of 0.5 implies a 0.5 standard deviation from the learned behavior.
    Defining alerting condition this way allows you to monitor and tune the model for the right deviation that require your attention.
    Higher than baseline / Lower than baseline allows you track deviations in either direction, above or below, or both. For example, setting a standard deviation of 0.5 with both above and below deviation enabled would trigger an alert for any deviation between -0.5 and 0.5 from the baseline.

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.