Welcome

Define a custom Indicator of Behavior

Overview

An Indicator of Behavior (IoB) in Sharelock is a configurably-tailored Machine Learning Algorithm (MLA) used for monitoring selected data points within the platform's user-friendly graphical interface. IoBs are tailored to monitor specific subjects such as user accounts, IP addresses, workstations, or any entities across a variety of integrated systems like Azure Active Directory, SAP, SharePoint, Dropbox, Google Suite/Workspace, AWS CloudTrail, Salesforce, and multiple VPN providers and vendors.

When configuring an IoB, you can select the subject of monitoring and the metric that you wish to monitor, such as system access outcomes, SAP transactions, file paths, application usage times, and several other parameters. These metrics cater to specific monitoring needs across all applications and include elements like operational results, transactions, accessed paths, timestamps, connection countries, browsers, and devices.

The IoB ultimately helps to establish a behavioral baseline by analyzing behavioral anomalies within the audit log data for each monitored entity. It then calculates an anomaly score which signals a deviation from established patterns, aiding in the identification of potential security threats.

IoBs in Sharelock form the backbone of the system's behavioral analysis capability, which is crucial for early threat detection and response.

Create new Indicator of Behavior

Select the "Settings" option from the main menu at the top right.

Click on the "IoB Insights" card in the configuration group named "Behavioral Engine Management."

To add a new Indicator, click the "New Indicator +" button. In the Indicator details, complete the following mandatory fields:

  • Name: the name of the Indicator being created.

In the card labeled "Choose a Subject," select:

  • Schedule: schedule the analysis execution daily or in real-time.
  • Subject: select the custom application from the dropdown menu on which the indicator will act.
  • Attribute Filter: To add a new Attribute Filter, click the "Add Attribute Filter +" option. The Attribute Filter is a highly specific filter that operates on attributes closely associated with the user, such as data uploaded from an Identity Governance source or an Access Manager. It is useful for refining the data processing based on specific user aspects such as Department, User's Role, etc

You can choose between two types of Filters:

  • Classic Filter: Select a possible Field from the list of all available ones for the custom application, or search for the name of the desired Field.

Then select the suggested Filter from the drop-down menu.

Under the "Values" section, enter the value on which the filter should act.

Multiple values can be entered, separated by commas. If the potential values of the selected Field are unknown., click the "Choose from Directory" button to display the potential values associated with the selected Field, in order of detection.

Once values are provided, press Enter to set the filter values. Choose whether to set the filter in White/Black List mode by clicking the toggle on the right.

  • Existence Filter: Select a Field from the list of all available ones for the custom application, or enter the name of the desired Field. Then select it from the drop-down menu. Choose whether to set the filter in White/Black List mode by clicking the toggle on the right of the "Exist" entry.

In the card labeled "Choose an Algorithm," select:

  • Machine Learning Algorithm: Select the Algorithm Engine based on the analysis to be performed.
  • Processing date: click on the field labeled "Pick a Start date" to select a date from the calendar from which to execute the processing calculation.
  • Training period (days): enter or increment/decrement the number of days to consider for training the algorithm on reference data.
  • Outlier detection: click on the checkbox on the right to enable.
  • Baseline Detection type: select the entry to determine from which perspective to analyze the behavioral analysis process as:
  • Personal: The baseline is determined through an analysis of variations in user behavior compared to their typical habits.
  • Global: The baseline is established through an analysis of variations in user behavior in relation to the habits of the entire corporate population.
  • Dynamic Subject Clustering: The baseline is automatically determined by algorithms that cluster groups of users, whose criteria are established by the frequencies generated by the attributes involved in the processing of the IoB.
  • Attribute Grouping: The baseline is determined by examining differences in user behavior compared to a subset of similar users. It is possible to choose on which user attribute to base the grouping criterion employed by the cluster.

It is feasible to prioritize detection methods by simply dragging the corresponding card upwards or downwards, depending on the desired priority.

In the card labeled "Choose an Object," select:

  • Object Field: click on the field and select one of the possible attributes belonging to the selected application on which to process behavior.

  • Aggregations:

Aggregations allow grouping a set of values under a single designation. 

To add a new Aggregation, click on the "Add Aggregation +" option. 

Under the "Label" section, enter the common label by which the aggregated values will be displayed. 

Under the "Values" section, enter the value on which the aggregation will be performed. 

Multiple values can be entered, separated by commas.

  • Filters:

Filters are useful for limiting or narrowing down the results of processing to a specific group of values 

To add a new Filter, click on the "Add Filter +" option. 

Click on the option at the top left of the Card to select the filter to apply. 

You can choose between two types of Filters:

  • Classic Filter: Select a possible Field from the list of all available ones for the custom application, or search for the name of the desired Field. 

Then select the suggested Filter from the drop-down menu. 

Under the "Values" section, enter the value on which the filter should act. 

Multiple values can be entered, separated by commas. If the potential values of the selected Field are unknown., click the "Choose from Directory" button to display the potential values associated with the selected Field, in order of detection.

Once values are provided, press Enter to set the filter values. Choose whether to set the filter in White/Black List mode by clicking the toggle on the right.

  • Existence Filter: Select a Field from the list of all available ones for the custom application, or enter the name of the desired Field. Then select it from the drop-down menu. Choose whether to set the filter in White/Black List mode by clicking the toggle on the right of the "Exist" entry.

Finally, click the "Save" button at the bottom of the page to persist and enable the newly created Indicator of Behavior.