Entity Analytics

Entities are a core feature of Secure60, They are the advanced modelling method that is used to build profiles of behaviour around specific objects.

This next generation threat detection technique allows ultra low false positive rates and groups data around a context that is useful and easily understandable for any user of the platform.

An entity can be a user, IP address or Server as an examples or any other field value that makes sense in your context.

Most entities are created from fields in Events as they are ingested into the system.

The creation of an Entity is achieved by Rules, Entity behaviour and responses to changes in Entities are tracked by additional Rules.

Entity Concept View

Ways of viewing Entity information

When using Entity analytics there are 2 main ways of viewing behaviour:

1. Entity behaviour summarised (over a timeline)

This analysis looks at the Score and Count of Entities over a time period. The data is surfaced according to the time period specific and summarised by the interval (step in our API definition) that you would like the data to be summarised by.

This is useful for showing:

• The Score and Count of a specific user, or user and category over time.

To view Entities visit the Analytics and Reporting page in your Project where there is a dedicated Entity Analysis section, This allows flexible visibility of any type of behaviour and grouping.

Threats also contain an Entity Analysis that is related to the specific Threat details.

2. Entity behaviour details (in a table / row format)

This type of analysis results in a data table (with sub grouping by category and subkey available).

You can have an open time selection, This allows you to look at the whole history of this entity or you can have a narrower time selection where you migth look at the Score of an Entity over last 24hrs for example.

This is useful for answering questions such as:

• Has this Entity score crossed a threshold over a time period?
• Has this user logged in from this GEO IP location ever before?

Using Entity Analytics in Rules

Within Secure60, Rules are the way that the system applies processing to incoming data and builds Entity profiles around various objects.

To leverage Entity Analytics you can leverage the built in Managed Rules that are offered within the platform (these cover common scenarios such as user, ip address and server behaviour tracking) or you can build and customise your own set of Entity rules according to your own requirements.

The following scenarios outline a common problem that we detect.

Create an Entity from the Event Stream

This process makes Entity objects by looking at the incoming data stream to detect specific Events that indicate a behaviour that we want to build an Entity model around.

A common example of this is to detect User Login so that we know who, when, where and onto what system a user has logged in.

Track the first time a user accesses a system or logs in from a new location

This scenario identifies the first time a user has logged into a system or new location, These are rare events in normal day to day work and hence it is important to enrich the entity analytics system with this information.

Track the cumulative score of a variety of behaviours related to a user and create a Threat when a score level exceeded

This scenario is the summing up multiple behaviours that are all related to a single entity name and value. This