Behavioral Analytics - Types

Deviation in Count

Detect unusual peak and trough of any activity in your environment with Deviation in count. For example, sign failure rates abnormally higher than usual, accessing an unusual number of resources in an environment, unusual number of files modified by an user.

For each combination of rows from the selected UDM fields, the model generates a baseline behavior.

Deviation in Volume

Deviation in volume spots any anomalous transactional volume in your environment. For example, sudden spike in data uploaded from a host. This model requires a numeric field to establish a baseline and a string field to create attribution.

For the defined aggregation window, you can choose if the model should profile the numeric field(field Metric name in the screenshot) either by maximum, minimum, average, or sum.

The first occurrence detects activities that has not been observed in your environment before. For example, a service account accessing a database for the first time. The first occurrence model learns a normal behavior for any entity or any UDM filed in the log source to track deviation.

Rare occurrence of an event

Rare occurrence learns past behaviors for the combination of UDM fields selected to discern a rare behavior from a repeated behavior. Repeating an activity that is currently considered rare will eventually cause the model to learn and no longer distinguish it as rare.