New Module (August 30): User and Entity Behavior Analysis
๐ New Module Releaseย
Weโve just dropped a new module: User and Entity Behavior Analysis
๐ New Features:
1) Dashboard
-
Top Risky Usersย
-
-
Users can now see risky users in descending orderย
-
-
-
Risk score are colored according to their severityย
-
-
Anomalies on World Mapย
-
-
Users can now see the countries where anomalies originated fromย
-
-
Anomalies Detectedย
-
-
Users can view the total number of anomalies detectedย
-
-
Total Usersย
-
-
Users can view the total number of users detectedย
-
-
-
Limitation: the data presented is not yet filtered by space or client.ย
-
-
Anomaly by Severityย
-
-
Users can view the total number of anomalies per severityย
-
-
-
The data will be presented as donut chart where it will show the breakdown of anomalies per severityย ย
-
-
Users and Entities Authenticationย
-
-
Users can view the total number of failed and successful attempts in authentications for the whole organizationย
-
-
Anomaly Trendsย
-
-
Users can now view the total number of anomalies per day.ย
-
-
-
The data will be presented as line chart where it will show the timeline and fluctuations of data throughout the time range.ย
-
-
Recent Anomaliesย
-
-
Users can now view the recent anomalies detected by the module.ย
-
2) Anomalies Page
- Anomaly by Severity
- Users can now see the countries where anomalies originated from (same from the dashboard)
- Top Anomaly Source IP
- Users can now see which IP have the most anomalies
- Anomaly by Job
- Users can now see which job had the most anomalies detected
- Anomalies
- Users can view the list of all anomalies detected so far
๐ Known Issue:
- Anomaly by Job
- There is a count discrepancy when comparing the total between Anomaly by Job vs Anomalies Detected or Anomaly by Severity.
- This is because of the different query used retrieving the data. The Anomaly by Job used filter where it only gets documents with anomaly_score greater than 0. The other components did not have this one yet.
๐ To be supported:
-
Users and Entities Page
- Dashboard "Rabbit Hole" Support
๐ Limitations
-
Total Users
- The data presented is not yet filtered by space or client
ย
- Anomaly Trends
- Remarks: The reason why the data only starts with August 2024 is we deactivated the Jobs that were active since the start of the year because they collected anomalies and put them in a single index regardless of the space or client the anomaly originated from. This caused challenges in retrieving filtered data and we have to create separate jobs for each client to combat this issue.
- Recent Anomalies
- Sometimes the field/data expected by backend and frontend from elastic is not provided (e.g., username). This was handled by the backend to display โN/Aโ instead. Investigation is yet to start for this one.