Models
Models uses historical and current data to recognize patterns in real time and identify deviations at an early stage.
Last updated
Models uses historical and current data to recognize patterns in real time and identify deviations at an early stage.
Last updated
The AI time series makes it possible to compare historical data streams with current activities in real time in order to precisely detect anomalies. Through this continuous comparison, the model identifies deviations at an early stage and detects patterns that could indicate potential security risks. Alerts can be directly linked to conspicuous behavior, which significantly improves your response times. In addition, the insights gained can be clearly visualized via the SIEM cockpit so that you always have an overview of your security situation and can make informed adjustments to your strategies. The potential of the AI time series therefore unfolds in greater proactivity and efficiency of your entire SIEM system.
In the overview, you will find all the models created so far collected in one view.
Under SIEM, switch to the “Models” module and click on Add model to create a new model.
Enter a name and a short description.
Select the appropriate stream for your model. If you do not select a stream, the number of all incoming logs will be displayed in the time series model.
You then have the option of specifying a source field name to make your model more specific.
Now select a suitable aggregator from those available. Here you have the choice between:
Average
Minimum
Maximum
Sum
Unique values
Number of values
Your AI module is activated by default. If you do not want this, simply remove the tick.
If you would like to make further settings, click on “Advanced settings” in the header bar. Select Interval to record data directly when it arrives or Variance to have number fields analyzed.
Define the Bucket Size, which specifies the time span in which data points are aggregated into a bucket.
Under Threshold , you define a limit range from which a certain action is triggered. This range helps to detect anomalies by specifying when values are considered unusual.
The Delay determines how long to wait after a certain event before starting an analysis or action. This helps to minimize noise or false alerts.
Depending on the amount of data to be fed in, it may take some time to create your configured model.
Make sure that your model has at least 7 days of training data available. The system analyzes patterns hourly, daily and weekly - less data leads to unreliable forecasts and frequent false alerts.
