Creating a custom model

Create a custom model to measure and baseline a numeric feature for a person per hour.

Before you begin

Review the following model details for each model template:

About this task

You can create a custom model so that you can review the learned behavior and the actual data for users. If significant changes from the baseline behavior are detected, you will receive alerts that the user's risk score is raised. Examples of models you can create include: showing how much data a user downloads, how many applications a user runs, or how many emails a user send per hour.

Attention: After you configure or modify your settings, it takes a minimum of 1 hour to ingest data, build an initial model, and see initial results for users.

Active users are monitored continuously. If a user has no activity for 28 days, the user and the user's data are removed from the model. If the user is active again, they will return as a new user.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. Click Apps > User Analytics > Machine Learning Settings.
  3. On the Machine Learning Settings page, click Create Model.
  4. On the Model Definition tab, you can select a template to populate the AQL field or you can create a custom AQL query.
  5. Click Next.
    Custom model settings screen
  6. On the General Settings tab, enter a name and description.
  7. In the Risk value of sense event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5.
  8. Enable the toggle to scale the risk value. When enabled, the base risk value is multiplied by a factor (range 1 - 10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated.
  9. In the Confidence interval to trigger anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is 0.95.
  10. In the Data Retention Period field, set the number of days you want to save the model data. The default value is 30.
  11. The Show graph on User Details page toggle is disabled by default. If you want to display the custom model graph on the User Details page, click the toggle.
  12. Optional: In the AQL Search Filter field, you can add an AQL filter to narrow the data that the analytic queries for in QRadar. By filtering with an AQL query, you can reduce the number of users or the types of data the analytic is analyzing. Before you save your settings, click Validate Query to launch a full AQL query in QRadar so that you can review the query and verify the results.
    Important: If you modify the AQL filter, the existing model is marked invalid and is then rebuilt. The length of time the rebuild takes depends on the amount of data that is returned by the modified filter.
    You can filter on specific log sources, network names, or reference sets that contain specific users. See the following examples:
    • REFERENCESETCONTAINS('Important People', username)
    • LOGSOURCETYPENAME(devicetype) in ('Linux OS', 'Blue Coat SG Appliance', 'Microsoft Windows Security Event Log')
    • INCIDR('172.16.0.0/12', sourceip) or INCIDR('10.0.0.0/8', sourceip) or INCIDR('192.168.0.0/16', sourceip)
    For more information, see Ariel Query Language.
  13. Click Save.
    General Settings tab for creating a model

Application Events

Procedure

  • Event Name: UBA : Custom Analytic Anomaly
  • senseValue = 5
  • Required configuration: System is monitoring events that have QRadar high level category of Application.
  • Log source types: APC UPS, Apache HTTP Server, Application Security DbProtect, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, Blue Coat Web Security Service, BlueCat Networks Adonis, CRE System, Centrify Infrastructure Services, Check Point, Cilasoft QJRN/400, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Meraki, Cisco Nexus, Cisco PIX Firewall, Cisco Stealthwatch, Cisco Umbrella, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, Custom Rule Engine, Cyber-Ark Vault, DG Technology MEAS, EMC VMWare, Event CRE Injected, Extreme Matrix K/N/S Series Switch, Extreme Stackable and Standalone Switches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, Fidelis XPS, FireEye, Flow Classification Engine, Flow Device Type, Forcepoint Sidewinder, Forcepoint V Series, Fortinet FortiGate Security Gateway, FreeRADIUS, H3C Comware Platform, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM DB2, IBM DataPower, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM Resource Access Control Facility (RACF), IBM Security Directory Server, IBM Tivoli Access Manager for e-business, IBM i, IBM z/OS, ISC BIND, Imperva SecureSphere, Infoblox NIOS, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks AVT, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper WirelessLAN, Kisco Information Systems SafeNet/i, Linux DHCP Server, McAfee Network Security Platform, McAfee Web Gateway, Metainfo MetaIP, Microsoft DHCP Server, Microsoft DNS Debug, Microsoft Exchange Server, Microsoft IIS, Microsoft Office 365, Microsoft Operations Manager, Microsoft Windows Security Event Log, Motorola SymbolAP, NGINX HTTP Server, Nortel Contivity VPN Switch, Nortel VPN Gateway, OS Services Qidmap, OSSEC, ObserveIT, Okta, Open LDAP Software, OpenBSD OS, Oracle BEA WebLogic, Oracle Database Listener, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware DefensePro, SSH CryptoAuditor, Skyhigh Networks Cloud Security Platform, Solaris Operating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Sophos Web Security Appliance, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System Protection, Symantec Encryption Management Server, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), Top Layer IPS, Trend InterScan VirusWall, Trend Micro Deep Security, Universal DSM, Venustech Venusense Security Platform, Verdasys Digital Guardian, WatchGuard Fireware OS, genua genugate, iT-CUBE agileSI

SourceIP

Procedure

  • Event Name: UBA : Custom Analytic Anomaly
  • sensevalue: 5
  • Log source types: Any log source that contains username and source ip in the events.

Destination Port

Procedure

  • Event Name: UBA : Custom Analytic Anomaly
  • sensevalue: 5
  • Log source types: Any log source that contains username and destination port in the events

Office File Access

Procedure

  • Event Name: UBA : Custom Analytic Anomaly
  • sensevalue: 5
  • Required configuration : System is monitoring event that have QRadar event names that include the word "file".
  • Log source type: Microsoft Office 365

AWS Access

Procedure

  • Event Name: UBA : Custom Analytic Anomaly
  • sensevalue: 5
  • Required configuration: System is monitoring events that contain QRadar event names that include the word "bucket".
  • Log source types: Amazon AWS Cloudtrail

Process

Procedure

  • Event Name: UBA : Custom Analytic Anomaly
  • sensevalue: 5
  • Required configuration: Custom event property 'Process' must exist for the desired log source type.
  • Log source types: Microsoft Windows Security Event Log; Linux OS

Website

Procedure

  • Event Name: UBA : Custom Analytic Anomaly
  • sensevalue: 5
  • Support rules: 'UBA : Browsed to Entertainment Website', 'UBA : Browsed to LifeStyle Website', 'UBA : Browsed to Business/Service Website', 'UBA : Browsed to Communications Website'
  • Required configuration: Custom event property 'Web Category' must exist for the desired log source type.
  • Log source types: Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series; Forcepoint V Series, Fortinet FortiGate Security Gateway

Risky IP

Procedure

  • Event Name: UBA : Custom Analytic Anomaly
  • sensevalue: 5
  • Required configuration: Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.
  • Log source types: Any log source with events that have a user name.