Creating a Behavior Profile

Resolution Intelligence Cloud supports the Behavior Analytics feature to gain insights about hidden patterns, and anomalies present in the complex data. Behavior Analytics uses data and analytical modeling to understand how users interact and communicate with the systems.

Behavior Analytics also helps enterprises to learn why potential issues occur and how they are solved effectively. By incorporating Behavior Analytics into enterprise systems, you can solve potential issues quickly by analyzing user trends and hidden patterns.

This reference article details the specifics in creating a behavior profile. Creating a behavior profile involves three stages:

• Defining the model attributes – UDM fields – the model will train on
• Selecting the model type and
• Defining the data aggregation type and alerting condition

Defining the Model Attributes

1. Navigate to Behavior Analytics under Security from the left menu, click Create Behavior Model.
   A model creation wizard opens.

2. In the profile creation wizard, 

1. • Provide a model name and description
   • Follow it with selecting +Add fields under Dimensions. This will list all the UDM fields, including the custom fields you’ve created in the UDM to handle custom logs.

3. Under Dimensions, in the field selector, search for the UDM field or traverse through the UDM structure on the left to find the field and add it to your model as a data source to train.

• Data sources
  The data sources behavior model can train is not limited to specific fields. A model can be created on any of the default or custom fields that has been created in UDM.
• Cardinality and model efficacy
  While creating a behavior profile, it is important to keep track of cardinality – the unique combination of rows for the selected UDM fields.
  A behavior model with high number of UDM fields will result in high cardinality. This will affect a model’s performance and efficacy – true positivity.
  Though there are no limit on the number of UDM fields a can train on, the best practice is to limit the number of UDM fields to less than 5.

Filters are the conditions that enable you to define what set of data the model should train on. For example, if you want data for the selected attributes to be for a specific geo location, you can specify the location and its value as a condition in filter.

Selecting the model type

Resolution Intelligence Cloud currently supports four behavior models. Select the behavior model apt to your use case. The example shown in the screen shows Deviation in volume as the model.

Defining the data aggregation and alerting condition

1. To profile a behavior, Resolution Intelligence Cloud aggregates past 30 days of data either Daily, Weekly, Hour of the day, or Day of the week.

• • Daily looks at the past 30 days of data to baseline a daily behavior
  • Weekly aggregates a week's activity for the last four weeks to profile what is a normal weekly behavior
  • Day of the week profiles behavior for each day of the week – Monday, Tuesday, and so on – and compares a day’s behavior against the behavior of the same day of the week in the past
  • Hour of the day aggregates activity hourly to profile behavior for every hour -- 9 to 10, 10 to 11, and so on

2. Choose any one of the conditions to compute deviation from baseline

• • Each combination of dimensional values (ex: entity behavior) will be compared with its baseline to identify deviation: Let's compare your model against the past models created by you.
  • Each combination of dimensional values (ex: entity behavior) will be compared with the baseline of its peer group: Let's compare your model against the past models created by your peers.

3. To define alerting conditions on the model, specify the degree of deviation from the baseline that you consider to be anomalous. For example, a value of 0.5 implies a 0.5 standard deviation from the learned behavior.

Defining alerting condition this way allows you to monitor and tune the model for the right deviation that require your attention.

• • Higher than baseline / Lower than baseline allows you track deviations in either direction, above or below, or both. For example, setting a standard deviation of 0.5 with both above and below deviation enabled would trigger an alert for any deviation between -0.5 and 0.5 from the baseline.
  • Check box next to the Generate a signal when the abnormality condition is met if you would like to define the confidence level of a signal.
  • Set minimum confidence level for signals enables you to define how confident the incoming signal carries an abnormality. It generally ranges from 0 to 1.

4. Add Tags for the following fields.

Tactics	Represent the "why" of an ATT&CK technique or sub-technique. Refer to this article for more information.
Vulnerability	A weakness, flaw or other shortcoming in a system (infrastructure, database or software), but it can also exist in a process, a set of controls, or simply just the way that something has been implemented or deployed.
Confidence	Denotes the percentage of probability that a signal carries risk or not
Technique	Represents 'how' an adversary achieves a tactical goal by performing an action. Refer to this article for more information.
Severity	Defines the severity of a model. Allowed values are High, Medium, and Low
Data Source	The location where data that is being used originates from
Product/Vendor	The type of vendor whom this rule belongs to
Tool	A type of tool to which a model belongs to
Logsource Type	A type of source where logs originates from
Threat Actor	An entity which causes a threat in the IT infrastructure
Custom	A special modification of an existing tag
False Positive Scenario	For every behavior there are few scenarios the detection would be legitimate. So we would keep that details here and recommend to user to baseline the expected behavior using reference lists.