Interpreting file activity outliers in the investigation dashboard

View file activity monitoring outliers in the Investigation Dashboard Activity Chart and Results Table (investigation dashboard must be enabled), or review the Analytic Outlier List report.

Quick Search must be enabled (grdapi enable_quick_search) to see outlier detection data in the investigation dashboard.

General workflow guidelines:

  1. Open the investigation dashboard by selecting File or from the User Interface drop-down, and clicking Enter; or by entering quick search in the search field and clicking Search for File Activity, and view the outliers in the Activity Chart. (You can change the time interval of the chart at the top of the window.) Red indicators reflect highly anomalous events requiring immediate attention. Yellow indicators represent less extreme anomalies that warrant attention as part of other or related investigations.
  2. Hover over an outlier icon to view detailed information about outliers detected during that time period.
  3. Filter the Results Table to activities or outliers that occurred during the same time period by clicking Show details.
  4. Click the outlier to open the Summary tab of the Outlier View, which shows the number of sources that had outliers during the selected time period, and the high and medium outliers.
    • Filter the data in the table either using the facets list, an individual search result, or the right-click menu.
    • Use the right-click menu in the outliers table to show related activity, show related exception, show related violations, and more.
  5. Try monitoring only privileged users to eliminate the data and improve focus.
    • You can get good insights into the patterns and usage of the privileged user activity. You might see:
      • Users that should NOT be accessing certain data.
    • Look for Time Of Day Outliers
  6. Try monitoring only sensitive objects to eliminate the data and improve focus.
    • You can get good insights into the patterns and usage of the users that access these sensitive objects. Do this, for example, by creating a Group of file servers with sensitive data. You might see unusual patterns of access to these objects.
    • Look for Time Of Day Outliers.
    • Look at which utilities (source programs) accessed these objects.
  7. Continue monitoring.
    • Alerts Setting: Set alerts for the Anomaly Hours (based on Analytic Outliers Summary report)
    • Auditing: define Review Outliers (Define Audit Process on Analytic Outliers List report) and assign to the appropriate Roles / User-Groups

The Outliers tab in the Results Table has two views:

  • Summary has one row per source per hour in which an outlier was found, with an anomaly score and one or more reasons. Note that not every outlier presented in the Summary Tab has further details in the Details tab.
  • Details is a sample of events that occurred, with one row per event with a reason and other details. For example, for high volume, the sampling presents the events with the highest score. You can configure the number of samples (rows) that appear in the Details Tab, per each outlier in the Summary tab.

This table describes the columns in both the Summary and Details views:

Column name Description Further Action
Anomaly Score Summary Tab: A calculated aggregate value based on the volume of outliers, the severity of individual events, the predicted volume of outliers for a given time of day, and other factors. For example, on a system that typically identifies 0 outliers at 1am and 5-10 outliers at 1pm during weekdays, the presence of two additional outliers (of 2 outliers at 1am or of 12 outliers at 1pm) is more significant, and weighted more heavily, than the hourly total itself. Details Tab: The anomaly score is only relevant for a high volume event. Right-click the score to open a menu with additional actions you can perform. In the Details tab the score can be 0, indicating that the individual events are not suspicious on their own, but the accumulated events in that hour are suspicious.
High volume Outlier True or False. High volume of activities of some type, for example on an object, of a DB user.  
New Outlier True or False. High volume of activities on new objects, for example an admin uncharacteristically creates a high number of new tables.  
Error Outlier True or False. High volume of errors  
Ongoing Outlier Summary view only. True or False. Event in the last few hours that was not high enough to create an outlier, but does raise suspicions. There are no specific events to view. See the Activity table, filter by the database in the facet list, at the time of the suspicious behavior.
Number of Instances Details view only. Number of times this particular event has been seen in the hour  
Server Server on which the event occurred  
OS user OS User that executed the event  
Privileged User True or False. Whether the user is privileged or not  
File Full Name Name of file on which the user executed the event  
Command Command with which the user executed the event  
Date Date on which the event occurred in the format yyyy-mm-dd  
Time Time at which the event occurred in the format hh:mm:ss