WebsiteLoginKostenloser TestzugangCommunity

Tracer

Machine Learning models uses historical and current data to recognize patterns in real time and identify deviations at an early stage.

Models

The AI time series makes it possible to compare historical data streams with current activities in real time in order to precisely detect anomalies. Through this continuous comparison, the model identifies deviations at an early stage and detects patterns that could indicate potential security risks. Alerts can be directly linked to conspicuous behavior, which significantly improves your response times. In addition, the insights gained can be clearly visualized via the SIEM cockpit so that you always have an overview of your security situation and can make informed adjustments to your strategies. The potential of the AI time series therefore unfolds in greater proactivity and efficiency of your entire SIEM system.

In the overview, you will find all the models created so far collected in one view.

Ensure that your model has at least 7 days of training data available. The system analyzes patterns hourly, daily, and weekly—less data will result in unreliable predictions and frequent false alerts.

Add Model

Under SIEM, switch to the “Models” module and click on Add model to create a new model.

  1. Name and Description Assign a name and a short description.

  2. Stream The stream determines which data the model uses to perform its analysis. Click on the icon in the right corner of the field to select an event stream. Select the desired stream from the view. Use the upper tab to switch between “Managed Event Streams” and “Your Event Streams”:

    1. Managed event streams Managed event streams are automatically provided by the system and contain preconfigured data sources, parsers, and standard fields. They serve as the basis for central analyses and models and cannot be changed in their structure. Click on a collection to display all streams in it. Then select an entry.

    2. Your event streams Custom event streams are created manually and allow for individual configuration of filters, sources, and fields. They are suitable for targeted processing and analysis of specific log data for user-defined use cases. Click on one of the listed streams to select it.

  3. Add field The source field determines which attribute within the data received by the stream is analyzed. Click “+Add Field” to add a source field to the model.

    1. Aggregator The aggregator represents the calculation method for the source field to be defined below. Select from the options:

      1. Average Calculates the average of all values in the source field within the defined time interval.

      2. Minimum Determines the smallest recorded value within the interval.

      3. Maximum Finds the largest value recorded within the interval.

      4. Sum Adds up all values of the source field in the respective time interval.

      5. Unique values Counts how many different values occur in the source field.

      6. Number of values Counts the total number of entries in the source field, regardless of the value itself.

        Depending on the data type of the selected source field, not all aggregators are useful or available. Numeric fields are suitable for average or sum calculations, for example, while text fields can usually only be used for unique or counted values.

    2. Source field name The source field name determines which field of the selected stream the aggregation is applied to. The model evaluates this field to calculate the desired metric (e.g., count, sum, or average).

      Select a field that is suitable for the desired analysis. For numerical calculations (e.g., average, sum), the source field should contain numerical values; for counts or unique values, text fields can also be used.

  4. Graph The graph displayed visualizes the chronological progression of the aggregated data points and responds in real time to changes in the configuration. Adjustments to the stream, source field, aggregator, or start and end times of the observation are immediately updated in the display.

  5. Advanced Settings You will find the “Advanced Settings” button at the top right of the screen. Click on it to customize the model in more detail.

    1. Enabled Your AI module is enabled by default. If you do not want this, simply uncheck the box.

    2. Time series progression

      1. Bucket Size Determines the time period over which data points are aggregated. A smaller bucket size allows for finer analysis, while larger intervals result in smoother but less detailed time series.

      2. Threshold for Anomaly Detection Defines the quantile at which a deviation is considered an anomaly. A lower value makes the model more sensitive, while a higher value reduces false alerts.

      3. Grace Period Determines the amount of time that elapses after an event before an analysis or action is performed. This helps to ignore short-term fluctuations and avoid false alerts.

    3. Time series variation

      1. Bucket Size Specifies the time intervals at which fluctuations within the time series are analyzed. Smaller intervals respond more quickly, while larger intervals smooth out the curve.

      2. Threshold for Anomaly Detection Specifies the deviation from the expected fluctuation at which an anomaly is detected. The value is interpreted as a percentage of the calculated reference range.

      3. Grace Period Defines how long to wait after a fluctuation is detected before triggering a new analysis or action. This filters out short-term highs or lows.

    4. Save advanced settings Click the “Apply” button to save your configuration.

  6. Save model After configuration, click on: “Add model” to save the model.

Depending on the amount of data to be fed in, it may take some time to create your now configured model.

Model Detail view

Click on a model in the overview to go to the detailed view.

In addition to general information, you will find the Graph and Anomalies tabs, which provide detailed insight into the model's findings:

Graphs

Time series progression

This view shows the progression of the monitored metric over time. The line represents the measured value, while the highlighted area indicates the confidence interval, i.e., the expected value range. Deviations outside this range are identified as potential anomalies. The label “Retrain” marks the point in time when the model was retrained to take current data patterns into account.

Click “Show details” to display additional time series for standard deviation and rating:

  • Standard deviation Shows how much individual values deviate from the expected average within a time interval. A high standard deviation indicates irregular or unusual behavior of the monitored metric.

  • Score Represents the anomaly score that evaluates the criticality of the detected deviation. The thresholds displayed (Low, Medium, High, Critical) indicate the score value at which an anomaly is classified as relevant.

TIme series variation

This view shows the variance or fluctuation of the monitored metric. It shows how much the values differ from the expected average within a time interval. Here, too, the confidence interval marks the expected fluctuation range, and the retraining time signals an update of the model to improve detection accuracy.

Click on “Show details” to display additional time series for standard deviation and evaluation:

  • Standard deviation Shows how much individual values deviate from the expected average within a time interval. A high standard deviation indicates irregular or unusual behavior of the monitored metric.

  • Score Represents the anomaly score that evaluates the criticality of the detected deviation. The thresholds displayed (Low, Medium, High, Critical) indicate the score value at which an anomaly is classified as relevant.

Anomalies

The Anomalies tab lists all deviations detected by the Tracer model that fall outside the expected value range. Each anomaly contains information on severity, source, and start and end time of the detected deviation.

  • Severity Indicates the classification of the anomaly (e.g., Low, Medium, High, Critical). This is based on the calculated anomaly score and the thresholds defined in the model. Click on the filter icon next to the specified severity to set a filter on entries with the same characteristic.

  • Source Specifies the analysis area (e.g., time series fluctuation or time series progression) in which the deviation was detected.

  • Start date/end date Specify the exact time period during which the anomaly occurred.

Edit Model

Click on a model in the overview to go to the detailed view.

In the top menu bar, you can adjust the advanced settings and the start and end times for your model. Follow these instructions:

Advanced Settings

You will find the “Advanced Settings” button at the top right of the screen. Click on it to customize the model in more detail.

  1. Enabled Your AI module is enabled by default. If you do not want this, simply uncheck the box.

  2. Time series progression

    1. Bucket Size Determines the time period over which data points are aggregated. A smaller bucket size allows for finer analysis, while larger intervals result in smoother but less detailed time series.

    2. Threshold for Anomaly Detection Defines the quantile at which a deviation is considered an anomaly. A lower value makes the model more sensitive, while a higher value reduces false alerts.

    3. Grace Period Determines the amount of time that elapses after an event before an analysis or action is performed. This helps to ignore short-term fluctuations and avoid false alerts.

  3. Time series variation

    1. Bucket Size Specifies the time intervals at which fluctuations within the time series are analyzed. Smaller intervals respond more quickly, while larger intervals smooth out the curve.

    2. Threshold for Anomaly Detection Specifies the deviation from the expected fluctuation at which an anomaly is detected. The value is interpreted as a percentage of the calculated reference range.

    3. Grace Period Defines how long to wait after a fluctuation is detected before triggering a new analysis or action. This filters out short-term highs or lows.

  4. Save advanced settings Click the “Apply” button to save your configuration.

Start- and End period

Clicking on the “Start period” or “End period” button opens a window for manually selecting the analysis period. Here you can specify the period over which the underlying data is to be viewed or calculated.

  1. Relative period A relative time period refers dynamically to the current time, e.g., last 24 hours or last 7 days. The time period under consideration shifts automatically as time progresses.

    1. Enter a number and then specify the time period.

      1. Click on the arrow icon to choose from the available options:

        1. Seconds ago

        2. Minutes ago

        3. Hours ago

        4. Days ago

        5. Weeks ago

  2. Templates Use the templates to select a relative time period from the options:

    1. 1 day ago

      1. 7 days ago

      2. 14 days ago

      3. 30 days ago

  3. Absolut time period An absolute period is defined precisely, e.g., from October 1, 2025, to the current date. It remains unchanged and always refers to exactly this period.

    1. Calender

      1. Use the arrows to navigate through the months and years.

      2. Then click on the desired date.

      3. Time

        1. Click on the “Time” button. The following window will open:

        2. By clicking on the digitally displayed hour or minute display, you can switch between the displays and thus define the hour or minute specifically in the following.

        3. Then click on the desired minute or hour on the clock shown.

        4. Then click Apply to save the configuration for your model.

PreviousSecurity Orchestration (SOAR)NextAlerts

Last updated

Was this helpful?