Time Functions

Detect events that happen at unusual times, either of the day or of the week. This function can be used to find unusual patterns of behavior, typically associated with suspicious user activity.

  • time_of_day
  • time_of_week

Note

  • time_of_day is not aware of the difference between days, for instance work days and weekends. When modeling different days, use the time_of_week function. In general, time_of_week is more suited to modeling the behavior of people rather than machines, as people vary their behavior according to the day of the week.
  • Shorter bucket spans (e.g. 10 minutes) are recommended when performing a time_of_day or time_of_week analysis. The time of the events being modeled are not affected by the bucketspan, but a shorter bucket span enables quicker alerting on unusual events.
  • Unusual events are flagged based on the previous pattern of the data, not on what we might think of as unusual based on human experience. So, if events typically occur between 3am and 5am, and event occuring at 3pm will be flagged as unusual.
  • When Daylight Saving Time starts or stops, regular events can be flagged as anomalous - this is because the actual time of the event (as measured against a UTC baseline) has indeed changed. This is treated as a step change in behavior and the new times will be learnt quickly.

time_of_day

Detects when events occur that are outside normal usage patterns, for example unusual actvity in the middle of the night.

Expects daily behavior to be similar. If behavior is expected to differ on Saturdays compared to Wednesdays, then time_of_week will be more appropriate.

  • fieldName: N/A
  • byFieldName: optional
  • overFieldName: optional

Example

{ "function" : "time_of_day", "byFieldName" : "process" }
  • Models when events occur throughout a day for each process
  • Detects when an event occurs for a process that is at an unusual time in the day compared to its past behavior

time_of_week

Detects when events occur that are outside normal usage patterns, for example login events at the weekend.

  • fieldName: N/A
  • byFieldName: optional
  • overFieldName: optional

Example

{ "function" : "time_of_week", "byFieldName" : "eventcode",  "overFieldName" : "workstation" }
time_of_week by eventcode over workstation
  • Models when events occur throughout the week for each eventcode
  • Detects when a workstation event occurs at an unusual time during the week for that eventcode compared to other workstations

Detects events for a particular workstation that are outside the normal usage pattern.