In other words, we have a baseline for what is ‘normal’ for this data. | table _time sum_flows lower_bound upper_boundĪs can be seen from the results, this search has generated a light blue range that represents the expected values at a given time of day for the average duration of connections to this IP address. | eval isOutlier=if('avg' upperBound, 1, 0) | eval lower_bound=(avg_f-stdev*exact(3)), upper_bound=(avg_f+stdev*exact(3)) | eventstats avg("sum_flows") as avg_f stdev("sum_flows") as stdev by "HourOfDay", "Weekday"
| eval Weekday=if(DayOfWeek="Saturday" OR DayOfWeek="Sunday","No","Yes") | eval HourOfDay=strftime(_time, "%H"), DayOfWeek=strftime(_time, "%A") Essentially we are going to use the average number of flows and standard deviation of those to determine a few boundary ranges based on the time chart, where any points that sit outside the boundary range will be flagged as outliers. In order to generate a baseline for this data we are going to apply a couple of approaches, the first of which is described in more detail in the blog here. We’re now going to look at three techniques for generating a baseline for this behaviour, which increases in complexity as we progress through the blog. In reality this is a gap in the CIDDS data caused by a power cut at Coburg University over a few days when they were generating the data! There is also a period of complete inactivity, which suggests a maintenance window for this server or network device. We can see from the visual that there is a pattern of activity during weekdays and weekends, with increases during the daytime for a weekday and limited activity over weekends. Please see this great link to brush up on your knowledge of logarithms. It is important to note that this chart has been plotted against a log scale - there is a high degree of variance in the number of flows, and the baseline behaviour is much easier to see on this scale. | tstats sum(Flows) as sum_flows WHERE (index=cidds "Src IP Addr"=192.168.220.15) BY _time span=5m Starting with a time chart we can view the total number of flows to and from this IP address with the following search: The issue we have is that we don’t know what normal looks like for this source IP. Let’s take the IP address 192.168.220.15 that we identified as a critical node on our network using graph analytics. In this second installment we will continue to use the Coburg Intrusion Detection Data Sets (CIDDS) to determine baseline behaviour for one of the nodes we identified as critical in the first half of this series.
BASELINE DATA CREATOR SERIES
Hopefully, you have had a chance to read the first part of this blog series that focussed on understanding your network. Here we will present a few methods for developing baseline thresholds. It can often be hard to define baseline behaviour or performance KPIs for a given network metric - especially if your organisation has just seen major changes to a service such as a shift to working from home. There are many reasons why monitoring for changes in network behaviour is important, with some great examples in this article - such as flagging potential security risks or predicting potential outages. A difficult question we come across with many customers is ‘what does normal look like for my network?’.
0 kommentar(er)
