Scribd
Upload
415 views34 pages

Gurucul Studio Guide

The Gurucul Risk Analytics (GRA) Studio Guide provides detailed instructions for configuring and updating machine learning models using the Gurucul Studio interface. It outlines the steps for model configuration, including selecting entities, resources, and templates, as well as visualizing results and managing case notifications. The guide also includes descriptions of various model templates and their use cases for anomaly detection and analysis.

Uploaded by

Lukman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
415 views34 pages

Gurucul Studio Guide

The Gurucul Risk Analytics (GRA) Studio Guide provides detailed instructions for configuring and updating machine learning models using the Gurucul Studio interface. It outlines the steps for model configuration, including selecting entities, resources, and templates, as well as visualizing results and managing case notifications. The guide also includes descriptions of various model templates and their use cases for anomaly detection and analysis.

Uploaded by

Lukman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Gurucul Risk Analytics

GRA Studio Guide

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |
Copyright © 2023 Gurucul. All rights reserved. Gurucul, the Gurucul Logo, are
trademarks or registered trademarks of Gurucul or its affiliates in the U.S.A and other
countries. Other names may be trademarks of their respective owners.

THIS PUBLICATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. GURUCUL SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
PUBLICATION. THE INFORMATION CONTAINED HEREIN IS SUBJECT TO CHANGE WITHOUT
NOTICE.

No part of the contents of this document may be reproduced or transmitted in any


form or by any means without the written permission of the publisher.

Gurucul

222 North Pacific Coast Highway


Suite 1310
El Segundo, CA90245

Phone: (213) 259-8472


Email: [email protected]

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |
Preface
Overview
The GRA Studio Guide documents step by step procedure for configuring a new model or
updating existing models. It also describes in detail the key model templates along with their
configuration / margin information.

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |
Contents
1. INTRODUCTION ..................................................................................................................................... 1
2. MODEL CONFIGURATION STEPS .......................................................................................................... 2
3. STUDIO TEMPLATES................................................................................................................................ 7
3.1 FREQUENCY ANALYSIS .............................................................................................................................. 7
3.2 FREQUENCY ANALYSIS FOR DISCRETE FEATURE DATA .................................................................................. 9
3.3 OUTLIER FREQUENCY ANALYSIS ............................................................................................................... 11
3.4 OUTLIER FREQUENCY ANALYSIS FOR DISCRETE FEATURE DATA ................................................................... 13
3.5 OUTLIER VOLUME ANALYSIS .................................................................................................................... 15
3.6 SENSITIVITY BASED FREQUENCY ANALYSIS ................................................................................................. 17
3.7 CROSS-SPECTRUM TIME SERIES ANALYSIS ................................................................................................. 19
3.8 IDENTITY PROFILE LINK ANALYSIS USING TEXT MINING ................................................................................ 21
3.9 NOVELTY OUTLIER DETECTION ANALYSIS .................................................................................................. 23
3.10 NOVELTY DETECTION ANALYSIS ............................................................................................................... 25
3.11 FEATURE DATA LINK ANALYSIS USING TEXT MINING ................................................................................... 27
3.12 CROSS-SPECTRUM INTERRUPTED TIME SERIES ANALYSIS ACROSS DAYS ....................................................... 29

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |
1. Introduction
Gurucul Studio enables customers to create machine learning models without coding and with
minimal knowledge of data science. The feature provides a step-by-step graphical interface to
select attributes, train models, create baselines, set prediction thresholds, and define feedback
loops.

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |1
2. Model Configuration Steps
GRA provides the capability to configure models on a canvas. Studio canvas enables users to
configure / update anomaly models that can be scheduled for ongoing analysis.
To enable a model within the Gurucul Studio environment, follow the steps given below:
1. Navigate to GRA Web UI > Studio > Add Canvas > Model.
2. The Entity and Resource tiles appear on the canvas.
3. To configure entity, click the Entity tile.
4. Select appropriate entity from the Select Entity fly-out.

5. To configure resource, click the Resource tile.


6. Select appropriate resource for which model is to be run from the Select Resource fly-out.

7. To view the list of fields that can be configured, click Data. Options available are:
 Users
 Accounts
 Peer Groups

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |2
 Resource Groups
 Roles
 Role Entitlements
 Resource Entitlements
 SOD
 Resource Attributes
8. To configure models, click Models.
GRA has classified OOB models in different classifiers.
9. On clicking Models, Classifiers section appears. To view the list of models classified, click any
classifier.
10. Select the appropriate model category from the list. Select the model template you want to
leverage based on the use case.
11. The Create New Behavior Model fly-out appears. The fields displayed for each model are
based on model definition.

12. Complete the fields and click Add.


Once a model is configured, Enable, Clone, Preview, Execute Model, Findings options
appear on the top bar. Enable toggle button allows you to enable and disable the model.
Clone allows you to clone an existing configured model. Preview gives a preview of the
results of the model on a specific date. Individual models can be executed by clicking the

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |3
Execute Model button. The Findings button allows you to view execution history of the model.
These options are applicable only for select few models and appropriate message is
displayed.
13. To configure users, select Users from Data.
14. Click Users tile. You can configure users by selecting specific users, specifying user policies,
selecting all users, or selecting a specific saved query. For more details on configuring users,
refer to the Additional Information section below.

Additional Information
 For more information on Configuring Users section, see the information below:
o Select Users allows you to define conditions to the user attributes (including feed
attributes). On selecting this option, the Define Condition section appears.
Select appropriate attribute from the User Attribute drop-down list. The attribute
value selected will be considered to set the condition. Select appropriate
condition from the Condition drop-down list. Enter value in the Attribute Value
field. Click Search. The matching results are displayed in results section below
the Define Condition section. Select the appropriate users. Once you select the
users, Add Selected button appears next to Search in the Define Condition
section. Click Add Selected and then Save.
o Select User Criteria option allows you to set multiple conditions to the user
attributes (including feed attributes). On selecting this option, the Define
Condition section appears. Select appropriate attribute from the User Attribute
drop-down list. The attribute value selected will be considered to set the
condition. Select appropriate condition from the Condition drop-down list. Enter
value in the Attribute Value field. Click Save. You can also set multiple
conditions while selecting user criteria. To set multiple conditions, click Add
Condition button.
o All Users option displays the list of all available users. Click Save to add all the
users.
o Select Query option will allow you to select users based on the OOB queries or
an already saved query in the Investigate Users tab. Select the specific query
from the Load Query fly-out. The query gets selected and appears below. Click
Save to add the selection. To remove the selection, click Remove.

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |4
15. Click Visualize to select the visualization method to display the results once the model is run.
For models that support configuring baseline period, you can also configure a "Distribution
Bar Chart". All the properties of a Bar chart are applicable to Distribution Bar Chart except for
X axis and sorting order. The default X axis attribute will be event day and is non editable.
Sorting order option is not shown at all.
For all visualizations, except Tree Map, capabilities like Aggregate Function, Sort Direction
and Unit Format have been provided.

16. On clicking Cases two options, Case Notifications and Case Assignments appear. On
running the model, anomalies are detected, and cases are generated.

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |5
For more details on Case Notifications and Case Assignments, refer to the Additional
Information section below.

Additional Information
 For more information on Case Notifications section, see the information below :
o Case Notifications assist in sending email notification alerts to specific
individuals, other than the case owner/assignees at case creation only. An
email notification is sent separately for each anomaly in the case.
o Select Case Notification to configure the fields.
o Select the email recipient from the Recipient List. Specify the email address of
any additional recipients in the Additional Email field.
o Click Configure.
 For more information on Case Assignments section, see the information below:
o Case assignment emails (per anomaly) are sent to the assignees configured in
Case Assignments. To add case assignees, select Case Assignments.
o Select the assignee type and the assignee from the respective drop-down list.
o Click Assign.
Once the model is run and anomalies are caught, case notification and case assignment emails
will be sent to respective users.

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |6
3. Studio Templates
This section lists most common Out of the Box (OOB) model templates along with their
categories, description, configuration details, and use cases.

User Selection Criteria is to be added by navigating to GRA Web UI > Studio > Data > Users > Selecting
the list of users applicable for the model after configuring the Model Template.

3.1 Frequency Analysis


Category: Frequency Analysis
Template Description: Anomaly will be flagged if count of the target attribute for the event day
has met the margin in combination with filter criteria for a user.
The table below describes the template configuration details:

Model Parameters Description


Resource Name Name of the resource/data source.
Target Attributes Count of attribute(s) that should be considered during analysis.
Join Attributes Attribute based on which analysis will pivot. (Default value: userid)
Margin Threshold, Threshold Count Operator, Threshold Condition.
Feature Attributes Attribute(s) that should or should not be included in the analytics.
Feature Data Value(s) for Feature Attribute combination(s).
Feature Criteria Criteria for Feature Attribute/Value combination(s).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Potential Account Misuse: Disabled Account
 Terminated Users: Network Activity Detected
 Terminated DLP Activity
 Suspicious Departing User: DLP Activities

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |7
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |8
3.2 Frequency Analysis for Discrete Feature Data
Category: Frequency Analysis
Template Description: Anomaly will be flagged if distinct count of the target attribute for the
event day has met the margin in combination with filter criteria (if any) for a user.
The table below describes the template configuration details:

Model Parameters Description


Resource Name Name of the resource/data source.
Target Attributes Count of attribute(s) that should be considered during analysis.
Join Attributes Attribute based on which analysis will pivot. (Default value: userid)
Margin Threshold, Distinct Count Attribute Operator, Threshold Condition.
Feature Attributes Attribute(s) that should or should not be included in the analytics.
Feature Data Value(s) for Feature Attribute combination(s).
Feature Criteria Criteria for Feature Attribute/Value combination(s).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Potential Account Compromise: Geo-Location & Multiple Machines
 Potential Account Sharing - Account access from Different Machines

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |9
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |10
3.3 Outlier Frequency Analysis
Category: Outlier Analysis
Template Description:
 Anomaly will be flagged if the count of target attribute for the event day has met the
margin including the last X days of training period in combination with filter criteria (if
any) for a user.
 User with no historic behavior will be flagged if the margin conditions are met.
The table below describes the template configuration details:

Model Parameters Description


Resource Name Name of the resource/data source.
Target Attributes Count of attribute(s) that should be considered during analysis.
Join Attributes Attribute based on which analysis will pivot. (Default value: userid).
Threshold, Count Attribute Operator, Day Range, Minimum Days of
Margin activities present for user, Standard Deviation Factor.
Attribute(s) that should or should not be included in the analytics
Feature Attributes (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data multiple values separated by::: ).
Feature Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Potential Flight Risk: Unusual Visits to Job Sites
 AWS - Spike in Create Security Group Activity
 Outlier Badge Access for Sensitive Locations

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |11
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |12
3.4 Outlier Frequency Analysis for Discrete Feature
Data
Category: Outlier Analysis
Template Description:
 Anomaly will be flagged if distinct count of target attribute for the event day has met the
margin including the last X days of training period in combination with filter criteria (if
any) for a user.
 User with no historic behavior will be flagged if the margin conditions are met.
The table below describes the template configuration details:

Model Parameters Description


Resource Name Name of the resource/data source.
Target Attributes Distinct count of attribute(s) that should be considered during analysis.
Join Attributes Attribute based on which analysis will pivot. (Default value: userid)
Threshold, Distinct Count Attribute Operator, Day Range, Minimum Days
Margin of activities present for user, Standard Deviation Factor.
Attribute(s) that should or should not be included in the analytics
Feature Attributes (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data multiple values separated by::: ).
Feature Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the Investigation
Profile Attributes tab.
Model Riskscore Risk score for the model.

Use Cases
 SharePoint - Unusual volume of folder downloads by departing user
 Abnormal Number of databases Altered or Updated
 Unusual Number of Documents Accessed

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |13
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |14
3.5 Outlier Volume Analysis
Category: Outlier Analysis
Template Description:
 Anomaly will be flagged if summation of target attribute for the event date has met the
margin including the last X days of training period in combination with filter criteria (if
any) for a user.
 User with no historic behavior will be flagged if the margin conditions are met.
The table below describes the template configuration details:

Model Parameters Description


Resource Name Name of the resource/data source.
Target Attributes Summation of Attribute(s) that should be considered during analysis.
Join Attributes Attribute based on which analysis will pivot. (Default value: userid)
Threshold, Condition, Day Range, Minimum Days of activities present
Margin for user, Standard Deviation Factor.
Attribute(s) that should or should not be included in the analytics
Feature Attributes (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data multiple values separated by::: ) .
Feature Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Abnormal Behavior - Excessive Uploads to public email sites
 Unusual Amount of Invoice or PO Requested
 Unusual Uploads to Cloud Storage

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |15
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |16
3.6 Sensitivity based Frequency Analysis
Category: Frequency Analysis
Template Description: Anomaly will be flagged if count of target attribute for the event date has
met the dynamically generated margin in combination with filter criteria (if any) for a user.
The table below describes the template configuration details:

Model Parameters Description


Resource Name Name of the resource/data source.
Target Attributes Count of Attribute(s) that should be considered during analysis.
Join Attributes Attribute based on which analysis will pivot. (Default value: userid)
Margin Threshold Percentile, Threshold Condition, Min or Max value.
Attribute(s) that should or should not be included in the analytics
Feature Attributes (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data multiple values separated by::: ) .
Feature Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Robotic pattern - unusual number of failed logins
 Unauthorized audit logs modification

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |17
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |18
3.7 Cross-spectrum Time Series Analysis
Category: Time Series Analysis
Template Description: Anomaly will be flagged if filter criteria for resource 1 followed by filter
criteria for resource 2 is met for a user for same event date.
The table below describes the template configuration details:

Model Parameters Description


Resource Name 1 Name of the resource/data source.
Attribute(s) that should or should not be included in the analytics
Feature Attributes (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data multiple values separated by::: ) .
Feature Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Resource Name 2 Name of the resource/data source.
Attribute(s) that should or should not be included in the analytics
Feature Attributes (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data multiple values separated by::: ) .
Feature Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Remote Activity After Physical Access in Different Location
 Physical Access Detected During Vanguard Leaves

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |19
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |20
3.8 Identity Profile Link Analysis using Text Mining
Category: Link Analysis
Template Description: Anomaly will be flagged if target attribute matches certain combination
of first name and/or last name in combination with filter criteria for a user.
The table below describes the template configuration details:

Model
Parameters Description
Resource
Name Name of the resource/data source.
Target
attribute Attribute compared against first and last name from identity data.
Feature Attribute(s) that should or should not be included in the analytics (separated
Attributes by $$$).
Feature Value(s) for Feature Attribute combination(s) (separated by $$$ and multiple
Data values separated by ::: ).
Feature
Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global
Operator Global Operator if any feature attributes are populated. (Default: and).
Pattern selection to be compared with the first name and last name from
identities. (FirstNameAndLastNameMatch/FirstNameOrLastNameMatch/
FirstNameAndLastNameMatchOrFirstNameOrLastNameMatchReplacedMatch/
FirstNameOrLastNameMatchOrFirstNameOrLastNameMatchReplacedMatch/
FirstNameAndLastNameSubstringMatch,SubstringNumber/
Pattern FirstNameOrLastNameSubstringMatch,SubstringNumber)
Analytical
Features Attribute(s) to dynamically populate in the Investigation tab.
Profile
Attributes Attribute(s) to dynamically populate as tabular view in the Investigation tab.
Model
Riskscore Risk score for the model.

Use Cases
 Potential Data Exfiltration - Self Email: DLP Network
 Unauthorized self-privilege escalation - User Context

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |21
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |22
3.9 Novelty Outlier Detection Analysis
Category: Outlier Analysis
Template Description: Anomaly will be flagged if count of target attribute has met the margin in
combination with filter criteria for a user as compared to last X days.
The table below describes the template configuration details:

Model Parameters Description


Resource Name Name of the resource/data source.
Target Attributes Count of Attribute(s) that should be considered during analysis.
Attribute based on which analysis will pivot. (Default value: userid),
Join Attributes Condition for initial filters (Optional – in cs/not in cs)
Day Range, Threshold, Count Attribute Operator, Minimum Days of
Margin activities present for the resource, Day Range to consider for initial filter.
Attribute(s) that should or should not be included in the analytics
Feature Attributes (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data multiple values separated by ::: ) .
Feature Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Pre-Feature
Attributes Attribute(s) for group by attributes (used for whitelisting).
Value(s) for Pre-Feature Attribute combination for group by attributes
Pre-Feature Data (used for whitelisting).
Criteria for Pre-Feature Attribute/Value combination for group by
Pre-Feature Criteria attributes (used for whitelisting).
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Rare Patient Records Accessed
 Varonis - PGA: Rare file uploaded

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |23
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |24
3.10 Novelty Detection Analysis
Category: Outlier Analysis
Template Description: Anomaly will be flagged if an attribute value has never been accessed in
last X days for the user.
The table below describes the template configuration details:

Model Parameters Description


Resource Name Name of the resource/data source.
Target Attributes Attribute based on which analysis will pivot.
Join Attributes Target Attribute Condition (in cs/not in cs/in cis/not in cis).
Attribute(s) that should or should not be included in the analytics
Feature Attributes (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data multiple values separated by ::: ) .
Feature Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Minimum Event Day Threshold, Day Range Threshold for historical
Margin analysis, Initial filter day range (optional).
Pre-Feature
Attributes Attribute(s) for group by attributes (used for whitelisting).
Value(s) for Pre-Feature Attribute combination for group by attributes
Pre-Feature Data (used for whitelisting).
Criteria for Pre-Feature Attribute/Value combination for group by
Pre-Feature Criteria attributes (used for whitelisting).
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Rare Document Accessed - Per User
 Varonis - Unusual file uploads

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |25
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |26
3.11 Feature Data Link Analysis using Text Mining
Category: Link Analysis
Template Description: Anomaly will be flagged if both the Target Attributes match in
combination with filter criteria for a user.
The table below describes the template configuration details:

Model Parameters Description


Resource Name Name of the resource/data source.
Attribute(s) that should or should not be included in the analytics
Feature Attributes (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data multiple values separated by ::: ) .
Feature Criteria Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator Global Operator if any feature attributes are populated. (Default: and)
Target Attribute 1 Field Name 1 from the Transactions of the user.
Target Attribute 2 Field Name 2 from the Transactions of the user.
Feature Criteria Criteria for Target Attributes combination.
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Privileged Access Abuse: Self Privilege Escalation – Windows
 High Invoice Amount with Single Approver

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |27
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |28
3.12 Cross-spectrum Interrupted Time Series Analysis
Across Days
Category: Time Series Analysis
Template Description: Anomaly will be flagged if events in resource 1 and events in resource 2
are sequential in combination with filter criteria for both resources for a user in the given time
frame.
The table below describes the template configuration details:

Model Parameters Description


Resource Name 1 Name of the resource/data source.
Attribute(s) that should or should not be included in the analytics
Feature Attributes 1 (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data 1 multiple values separated by ::: ).
Feature Criteria 1 Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator 1 Global Operator if any feature attributes are populated. (Default: and)
Resource Name 2 Name of the resource/data source.
Attribute(s) that should or should not be included in the analytics
Feature Attributes 2 (separated by $$$).
Value(s) for Feature Attribute combination(s) (separated by $$$ and
Feature Data 2 multiple values separated by ::: ) .
Feature Criteria 2 Criteria for Feature Attribute/Value combination(s) (separated by $$$).
Global Operator 2 Global Operator if any feature attributes are populated. (Default: and)
Join Attributes Attribute(s) based on which analysis will pivot.
Margin Days to roll back, Time difference in minutes.
Analytical Features Attribute(s) to dynamically populate in the Investigation tab.
Attribute(s) to dynamically populate as tabular view in the
Profile Attributes Investigation tab.
Model Riskscore Risk score for the model.

Use Cases
 Privileged Access / Security Enabled Global Group Granted and Removed in Short Time
Span
 VPN Access in Short Time of Physical Activity

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |29
Sample Configuration

GURUCUL | 222 N PACIFIC COAST HWY, #1310, EL SEGUNDO CA 90245 | 213.373.4878 | [email protected] | WWW.GURUCUL.COM |30

You might also like