Skip to main content
Version: 5.0

Dictionary

Calculates a list of actions and connections with other objects that are characteristic of the object. Used to detect anomalies, such as:

  • a user connects to equipment for the first time
  • a VPN connection is made from an unusual country
  • a user performs an account management operation for the first time

Algorithm Description

  1. General and temporal filters are applied to the source index data

  1. Each data record is brought to a common form according to the settings of the processed fields
  2. Unique combinations of values of the processed fields are extracted

Input Parameters

  • Filter - general filter for sources (using expressions from the search command)
  • Index for Results - index where the execution results are recorded
  • Processed Fields - mapping of source fields to result fields
    • Name - the name of the field in the results index
    • Index template / Field name in source - a list of index templates and corresponding fields in them that will be extracted into the result
  • Partial Update - allows you to select the data update mode:
    • If disabled — old data will be cleared on each run, and only new values will be loaded
    • If enabled — old data will be preserved and enriched with new values, accumulating historical records
  • Exception Settings — allows you to define rules for excluding data from calculations. Clicking this option opens a modal window where you can add conditions to exclude specific objects

Input Data

Input data is determined by the indices and time interval in the general settings.

Output Data

As a result of the algorithm execution, several records appear in the results index. Each record contains one of the unique combinations of values of the processed fields. Records are combined by the launch identifier _meta.execution.id.

  • _meta.calculation.id - the identifier of the algorithm setting in the profiling policy
  • _meta.calculation.type - the type of algorithm
  • _meta.execution.start_time - the time the profiling policy was launched
  • _meta.execution.id - the identifier of the profiling policy launch
  • _meta.object.identity - an array of UBA object identifiers
  • _meta.object.id - the technical identifier of the UBA object
  • _calculation - the result of the algorithm execution (for the Dictionary algorithm, it contains several records with a unique combination of values of the processed fields)
Example of a JSON Result Object
{
  "_index": "dictionary_policy",
  "_id": "myf8iI4BcPwD44zSs6V5",
  "_score": 1,
  "_source": {
    "_meta": {
      "calculation": {
        "id": "CHTFCY4BcWd59cXv1lGV",
        "type": "dictionary"
      },
      "execution": {
        "start_time": "2025-03-29T06:54:06.000Z",
        "id": "kyf8iI4BcPwD44zSsqWw"
      },
      "object": {
        "identity": [
          "smith.a@saf.com",
          "17823671111",
          "smith.a"
        ],
        "id": "9186db972bafeafed6411ab644d0313bb1def204"
      }
    },
    "_calculation": {
      "computer_name": "Lenovo*"
    }
  }
}