AnsweredAssumed Answered

Behavioral Analysis

Question asked by Alexey Fedorov on May 19, 2016

My current and potential customers want to have behavioral analysis. Unfortunately this mechanism is absent out of the box. Maybe somebody has EPL rules and can share it? I have few suggestion about behavioral analysis rule:


1. If user (IP) has X connection (success or deny - should set in the rule) prior hour (day or minutes) and now user (IP) has deviation (up or down/both - should set in the rule) Y percens - alert.


2. A user (IP) has normal activity pattern (for example, amount of connections per day is 100 connections to HTTP protocol, 200 connections to HTTPS protocol and etc.). Next day a user (IP) has deviation from normal activity pattern more or less/both (should set in the rule) 30% one or more protocol (should set in the rule) - alert.


3. A user (IP) has normal activity pattern (for example list of countries where he had connection last week). If user (IP) has connection to new country - alert.


Time slots should be floating. In the rule 3 can have a case when we collect list of all country were a user (IP) had connections.

If possible need set time slot of bussiness hours and had 2 version of rules for bussines and not bussines hours.