Outlier accelerates and automates the process of identifying a potential threat. It would allow you to investigate and diagnose the specific entity responsible for the suspicious activity. You can automate the process by adding the identified incident as a signal. DNIF also uses a data-driven approach to identify patterns exhibited by the majority of the data and highlights data points that deviate from these patterns. An outlier is an observation which deviates so much from the other observations as to arouse suspicions that it was generated by a different mechanism.
How to add an Outlier block?
- Hover on the Workbooks icon on the left navigation bar, it will display the folder wise view of existing workbooks in the cluster.
- Click plus icon on the Workbook page and select Outlier Block from the list, the following screen will be displayed.
This is an independent block i.e. the output obtained is not dependent on the result of any other block. You can add this block along with other blocks in the workbook.
- Enter the details in the fields as explained below:
|FIND OUTLIER IN STREAM||Select the entity for which you want to detect the outlier.
|ON||Select the stream for which you to detect the outlier|
|OVER THE||It will allow you to select a time range based on your requirement.
|FEATURES||This will be displayed on the basis of the Stream selected, you can add the following features as per your requirement to narrow down the outlier detection
For each of the above features you can add a corresponding value to detect any anomalies. For Example: you can look for Distinct Asset names, Average Text length, count of log events etc. Select the features and values as per your requirement.
|FILTER||Used to filter the features to be displayed in the grid and graph.|
|Checkbox||Used to view only anomalies, this checkbox is selected by default, uncheck this checkbox to view normal users along with anomalies|
By default, Firewall as stream and SRCIP as value will be selected. You can select filters as per your requirement.
- Click Run after selecting the required parameters, the outliers detected will be displayed in a grid and graph format.
- In the above screen, all the anomalies are displayed based on the features selected such as the $SrcIP, $UniqueDstIP, $UniqueDstPort, $TotalCount, $SumTxLen, $PercentOfActionPacket_allowed, $PercentOfActionPacket_blocked, $Prediction , these anomalies are indicated as red dots in the scatterplot, the list of anomalies detected are also listed in grid format.
- The anomalies detected can be considered as a security incident and you can raise a signal. To raise a signal refer to the steps in the Create a Signal Block document.
- For more details on details on Workbooks, refer Create a Workbook