Reference Guide
...
Session Manager
User and Entity Behavior Analy...

Threat Analytics and Response Engine Configuration

2min

The Threat Analytics and Response Engine comes pre-installed with default settings, which include anomaly weights used for score calculations. Various anomalies found in the data, such as user session times, access protocol, executed commands, connected users, and devices, can contribute to the score calculation in distinct ways.

The Threat Analytics and Response Engine employs advanced machine learning algorithms to identify deviations from expected user and device behavior. Instead of relying on static rule-based threat detection, this system dynamically detects anomalies by statistically analyzing user and device interactions within your network environment. It's important to note that the calculated risk scores and the number of anomalies detected can vary based on system usage and network conditions. To optimize its effectiveness, it is strongly recommended to continuously monitor the system's performance and make necessary adjustments as per your specific requirements.

The configuration parameters along with their descriptions for the Threat Analytics and Response Engine are listed below:

Parameter Key

Description

Value Range

User

Weight parameters used in user-based anomaly detection. These parameters are used to calculate the risk score for anomalies regarding users.



host

This parameter quantifies the statistical influence of the anomaly detection algorithm on the computation of the anomaly risk score associated with host information. It requires a value within the range of 0 to 1 to be specified. When this value approaches 0, the significance of host information in determining the risk score diminishes. Conversely, as it approaches 1, the impact of host information on the risk score calculation intensifies.

0-1

access_protocol

This parameter quantifies the statistical influence of the anomaly detection algorithm on the computation of the anomaly risk score associated with the access protocol. It is used to detect an anomaly, especially when there is a connection with a different protocol to devices with the same IP address. It requires a value within the range of 0 to 1 to be specified. When this value approaches 0, the significance of access protocol information in determining the risk score diminishes. Conversely, as it approaches 1, the impact of host information on the risk score calculation intensifies.

0-1

client_ip

This parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with the IP address information to which the user connects. A value in the range 0 to 1 is required to be specified. As this value approaches 0, host information becomes less important in determining the risk score. Conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies.

0-1

date

This parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with session start date information. A value in the range 0 to 1 is required to be specified. As this value approaches 0, host information becomes less important in determining the risk score. Conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies.

0-1

command

This parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with commands run in the session or operations within the session. A value in the range 0 to 1 is required to be specified. As this value approaches 0, host information becomes less important in determining the risk score. Conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies.

0-1

Parameter Key

Description

Value Range

Host

Weight parameters used in device-based anomaly detection. These parameters are used to calculate the risk scores according to the connected devices.



user_name

This parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with linked username information. A value in the range 0 to 1 is required to be specified. As this value approaches 0, username information becomes less important in determining the risk score. Conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies.

0-1

access_protocol

This parameter quantifies the statistical influence of the anomaly detection algorithm on the computation of the anomaly risk score associated with access protocol. It is used to detect an anomaly, especially when there is a connection with a different protocol to devices with the same IP address. It requires a value within the range of 0 to 1 to be specified. When this value approaches 0, the significance of access protocol information in determining the risk score diminishes. Conversely, as it approaches 1, the impact of host information on the risk score calculation intensifies.

0-1

client_ip

This parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with the IP address information to which the user connects. A value in the range 0 to 1 is required to be specified. As this value approaches 0, host information becomes less important in determining the risk score. Conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies.

0-1

date

This parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with session start date information. A value in the range 0 to 1 is required to be specified. As this value approaches 0, host information becomes less important in determining the risk score. Conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies.

0-1

command

This parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with commands run in the session or operations within the session. A value in the range 0 to 1 is required to be specified. As this value approaches 0, host information becomes less important in determining the risk score. Conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies.

0-1

Parameter Key

Description

Default Value

Max_fit_size

This parameter specifies the amount of data used by the "Threat Analytics and Response Engine" for anomaly detection. It determines how much historical data will be retained for anomaly detection purposes. Increasing the default value can enhance accuracy by incorporating more data into anomaly detection, but it may lead to performance issues. It is recommended to keep the default value for optimal performance.

100000

port

Port of Threat Analytics and Response Engine

5011

contamination

"Contamination" indicates the number of anomalies that can be statistically detected within the data specified by the "max_fit_size" parameter. Increasing this number enhances the sensitivity of anomaly detection, resulting in the identification of more anomalies. Conversely, decreasing it reduces sensitivity, leading to the detection of fewer anomalies.

0.01

To change the weight of anomalies:

  1. Log in to Threat Analytics and Response Engine CLI.
  2. Navigate to /u01/LogAnomaly/LogAnomaly/config folder.
  3. Open the config.json file with a text editor and edit weights to finetune anomaly detection.
  4. Set values between 0 and 1. { "weightOfkeys": { "user": { "host": 0.5, "access_protocol": 0.05, "client_ip": 0.05, "date": 1, "command": 1 }, "host": { "user_name": 0.5, "access_protocol": 0.05, "client_ip": 0.05, "date": 1, "command": 1 } }, "Max_fit_size": 100000, "port": 5011, "contamination": 0.01 }
  5. Save the config.json file and restart the anomaly detection service. ]# systemctl restart uba-log-anomaly