Skip to main content
Version: 5.0

Chronology

Calculates information about the characteristic, historically established behavior of an object over a specific period of time. Used to detect anomalies, such as:

  • this login time is unusual for the user
  • this connection time is unusual for the user

Algorithm Description

  1. General and temporal filters are applied to the source index data
  2. Each data record is brought to a common form according to the settings of the processed fields
  3. Data is divided by unique combinations of values of the processed fields
  4. Each part of the data obtained in step 3 is divided into segments within the calculation period, and each segment is assigned an identifier

  1. The number of events is counted for each segment
  2. Statistics are calculated for all segments with the same identifier

Input Parameters

  • Filter - general filter for sources (using expressions from the search command)
  • Index for results - index where the execution results are recorded
  • Fields to be processed - mapping of source fields to result fields
  • Calculation Period - the main time range in which specific segments will be considered
  • Segments - the segment of the time interval during which metrics will be calculated
    note

    It is recommended to set the Calculation Period as a multiple of the Segment to avoid incomplete segments at the boundaries of the calculation period.

    Examples of filling the calculation period and segment: 1y year, 1M month, 1d day, 1H hour, 1m minute, 1s second
  • Pass intervals without data - empty intervals are not considered in the statistics calculation
  • Exception Settings — allows you to define rules for excluding data from calculations. Clicking this option opens a modal window where you can add conditions to exclude specific objects

Processed Field Settings

  • Name - the name of the field in the results index
  • Index template / Field name in the source - a list of index templates and corresponding fields in them that will be extracted into the result

Input Data

Input data is determined by the indices and time interval in the base settings.

Output Data

As a result of the algorithm execution, several records appear in the results index. Each record contains statistics for one of the segments across all calculation periods.

  • _meta.calculation.id - the identifier of the algorithm setting in the profiling policy
  • _meta.calculation.type - the type of algorithm
  • _meta.calculation.start_time - the left boundary of the temporal filter of data sources at the time of launch
  • _meta.calculation.end_time - the right boundary of the temporal filter of data sources at the time of launch
  • _meta.execution.start_time - the time the profiling policy was launched
  • _meta.execution.id - the identifier of the profiling policy launch
  • _meta.object.identity - an array of UBA object identifiers
  • _meta.object.id - the technical identifier of the UBA object
  • _calculation.extended_stats - extended statistics for all intervals
  • _calculation.percentiles - percentiles for all intervals
  • _calculation.big_span - the size of the calculation period
  • _calculation.small_span - the size of the segment within the calculation period
  • _calculation.small_span_id - the identifier of the segment within the calculation period
  • _calculation.by_fields - combination of values of the processed fields for which statistics were calculated
Example of a JSON Result Object
{
  "_index": "uba-temporal-event-code-by-host-10m-per-hour",
  "_id": "lwCOmY4BcdU8iNUUPAhd",
  "_score": 4.820416,
  "_source": {
    "_meta": {
      "calculation": {
        "start_time": "2024-03-25T12:06:58.400Z",
        "end_time": "2024-04-01T12:06:58.400Z",
        "id": "ETf5gI4B6hVcVe8zFzxS",
        "type": "temporal"
      },
      "execution": {
        "start_time": "2024-04-01T12:06:58.380Z",
        "id": "kQCOmY4BcdU8iNUUOAhM"
      },
      "object": {
        "identity": [
          "ACME-001"
        ],
        "id": "ecac9328ce53b5405729ff983dff22a6adde6ab4"
      }
    },
    "_calculation": {
      "extended_stats": {
        "count": 169,
        "min": 0,
        "max": 1,
        "avg": 0.04142011834319527,
        "sum": 7,
        "sum_of_squares": 7,
        "variance": 0.03970449213963097,
        "variance_population": 0.03970449213963097,
        "variance_sampling": 0.03994082840236687,
        "std_deviation": 0.19925986083411523,
        "std_deviation_population": 0.19925986083411523,
        "std_deviation_sampling": 0.19985201625794738,
        "std_deviation_bounds": {
          "upper": 0.4399398400114257,
          "lower": -0.3570996033250352,
          "upper_population": 0.4399398400114257,
          "lower_population": -0.3570996033250352,
          "upper_sampling": 0.44112415085909,
          "lower_sampling": -0.3582839141726995
        }
      },
      "percentiles": {
        "values": {
          "1.0": 0,
          "5.0": 0,
          "25.0": 0,
          "50.0": 0,
          "75.0": 0,
          "95.0": 0,
          "99.0": 1
        }
      },
      "small_span": "10m",
      "big_span": "1h",
      "small_span_id": "4",
      "by_fields": {
        "action": "4723",
        "computer_name": "Lenovo V15"
      }
    }
  }
}