Time Functions

Detect events that happen at unusual times, either of the day or of the week. This function can be used to find unusual patterns of behavior, typically associated with suspicious user activity.

time_of_day by [by <field1>] [over <field2>]
time_of_week by [by <field1>] [over <field2>]

Note: Further configuration options are available, which are described in the Detector Configuration section:

function(field1) [by <field2>] [over <field3>] [partitionfield=<field4>] [summarycountfield=<field5>] [categorizationfield=<field6>] [excludefrequent=true] [usenull=true]

time_of_day

time_of_day by process
  • Models when events occur throughout a day for each process
  • Detects when an event occurs for a process that is at an unusual time in the day compared to its past behavior

Detects when events occur for a particular process that are outside the normal usage pattern, for example unusual actvity in the middle of the night.

Expects daily behavior to be similar. If behavior is expected to differ on Saturdays compared to Wednesdays, then time_of_week will be more appropriate.

time_of_week

time_of_week by eventcode over workstation
  • Models when events occur throughout the week for each eventcode
  • Detects when a workstation event occurs at an unusual time during the week for that eventcode compared to other workstations

Detects events for a particular workstation that are outside the normal usage pattern, for example login events at the weekend.

Notes

  • time_of_day is not aware of the difference between days, for instance work days and weekends. When modeling different days, use the time_of_week function. In general, time_of_week is more suited to modeling the behavior of people rather than machines, as people vary their behavior according to the day of the week.
  • Shorter bucket spans (e.g. 10 minutes) are recommended when performing a time_of_day or time_of_week analysis. The time of the events being modeled are not affected by the bucketspan, but a shorter bucket span enables quicker alerting on unusual events.
  • Unusual events are flagged based on the previous pattern of the data, not on what we might think of as unusual based on human experience. So, if events typically occur between 3am and 5am, and event occuring at 3pm will be flagged as unusual.
  • When Daylight Saving Time starts or stops, regular events can be flagged as anomalous - this is because the actual time of the event (as measured against a UTC baseline) has indeed changed. This is treated as a step change in behavior and the new times will be learnt quickly.

See also

This page

Browse

You are here