Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Anomaly Detection Rules

    Anomaly detection rules test the results of saved flow or events searches to detect when unusual traffic patterns occur in your network.

    Anomaly detection rules require a saved search that is grouped around a common parameter, and a time series graph that is enabled. Typically the search needs to accumulate data before the anomaly rule returns any result that identifies patterns for anomalies, thresholds, or behavior changes.

    Anomaly Rules

    Test event and flow traffic for changes in short-term events when you are comparing against a longer time frame. For example, new services or applications that appear in a network, a web server crashes, firewalls that all start to deny traffic.

    Threshold Rules

    Test events or flows for activity that is greater than or less than a specified range. Use these rules to detect bandwidth usage changes in applications, failed services, the number of users connected to a VPN, and detecting large outbound transfers.

    Behavioral Rules

    Test events or flows for volume changes that occur in regular patterns to detect outliers. For example, a mail server that has an open relay and suddenly communicates with many hosts or an IPS (intrusion protection systems) that start to generate numerous alert activity.

    A behavior rule that learns the rate or volume of a property over a pre-defined season. The season defines the baseline comparison timeline for what you are evaluating. When you set a season of 1 week, the behavior for the property over that 1 week is learned and than you use rule tests to alert you to the changes.

    After a behavioral rule is set, the seasons adjust automatically. As the data in the season is learned and is continually evaluated so that business growth is profiled within the season, you do not have to make changes to your rules. The longer that a behavioral rule runs, the more accurate it is over time. You can then adjust the rule responses to capture more subtle changes.

    You want to detect changes in traffic or properties that are always present such as mail traffic, firewall traffic, bytes transferred by common protocols such as 443 traffic, or applications that are common within your network. Define a pattern, traffic type, or data type that you can track to generate an overall trend or historical analysis. Assign rule tests against that pattern to alert you to special conditions.

    The following table describes the Behavioral rule test parameter options.

    Table 1: Behavioral Rule Test Definitions

    Rule test parameter



    The most important value. The season defines the baseline behavior of the property that you are testing, and which the other rule tests use. To define a season, consider the type of traffic that you are monitoring. For example, for network traffic or processes that include human interaction, 1 week is a good season time frame. For tracking automated services where patterns are consistent, you might want to create a season as short as 1 day to define that pattern of behavior.

    Current traffic level

    Weight of the original data with seasonal changes and random error accounted for. This rule test asks the question, "Is the data the same as yesterday at the same time?"

    Current traffic trend

    Weight of changes in the data for each time interval. This rule test asks the question, "How much does the data change when it compares this minute to the minute before?"

    Current traffic behavior

    Weight of the seasonal effect for each period. This rule test asks the question, "Did the data increase the same amount from week 2 to week 3, as it did from week 1 to week 2?"

    Predicted value

    Use predicted values to scale baselines to make alerting more or less sensitive.

    Creating an Anomaly Detection Rule

    Anomaly detection rules test the result of saved flow or event searches to search for unusual traffic patterns that occur in your network. Behavioral rules test event and flow traffic according to "seasonal" traffic levels and trends. Threshold rules test event and flow traffic for activity less than, equal to, or greater than a configured threshold or within a specified range.

    To create anomaly detection rules on the Log Activity tab, you must have the Log Activity Maintain Custom Rules role permission.

    To create anomaly detection rules on the Network Activity tab, you must have the Network Activity Maintain Custom Rules role permission.

    To manage default and previously created anomaly detection rules, use the Rules page on the Offenses tab.

    When you create an anomaly detection rule, the rule is populated with a default test stack, based on your saved search criteria. You can edit the default tests or add tests to the test stack. At least one Accumulated Property test must be included in the test stack.

    By default, the Test the [Selected Accumulated Property] value of each [group] separately option is selected on the Rule Test Stack Editor page.

    An anomaly detection rule tests the selected accumulated property for each event or flow group separately. For example, if the selected accumulated value is UniqueCount(sourceIP), the rule tests each unique source IP address for each event or flow group.

    The Test the [Selected Accumulated Property] value of each [group] separately option is dynamic. The [Selected Accumulated Property] value depends on the option that you select for the this accumulated property test field of the default test stack. The [group] value depends on the grouping options that are specified in the saved search criteria. If multiple grouping options are included, the text might be truncated. Move your mouse pointer over the text to view all groups.

    1. Click the Log Activity or Network Activity tab.
    2. Perform an aggregated search.

      You can add a property to the group by in a new historical search or select a property from the Display list on the current search page.

    3. On the search result page, click Configure, and then configure the following options:
      1. Select a property from the Value to Graph list.

      2. Select time series as the chart type from the Value to Graph list

      3. Enable the Capture Time Series Data check box.

      4. Click Save, and then enter a name for your search.

      5. Click OK.

      6. Select last 5 minutes from the Time Range list, while you wait for the time series graph to load.

      You must have time series data for the property that you selected in the Value to Graph list to run a rule test on that accumulated property.

    4. From the Rules menu, select the rule type that you want to create.
      • Add Anomaly Rule

      • Add Threshold Rule

      • Add Behavioral Rule

    5. On the Rule Test Stack Editor page, in the enter rule name here field, type a unique name that you want to assign to this rule.
    6. To apply your rule by using the default test, select the first rule in the anomaly Test Group list.

      You might need to set the accumulated property parameter to the property that you selected from the Value to Graph list that you saved in the search criteria. If you want to see the result sooner, set the percentage to a lower value, such as 10%. Change last 24 hours to a lesser time period, such as 1 hour. Because an anomaly detection tests on aggregated fields in real time to alert you of anomalous network activity, you might want to increase or decrease events or flows in your network traffic.

    7. Add a test to a rule.
      1. To filter the options in the Test Group list, type the text that you want to filter for in the Type to filter field.

      2. From the Test Group list, select the type of test that you want to add to this rule.

      3. To identify a test as an excluded test, click and at the beginning of the test in the Rule pane. The and is displayed as and not.

      4. Click the underlined configurable parameters to customize the variables of the test.

      5. From the dialog box, select values for the variable, and then click Submit.

    8. To test the total selected accumulated properties for each event or flow group, disable Test the [Selected Accumulated Property] value of each [group] separately.
    9. In the groups pane, enable the groups you want to assign this rule to.
    10. In the Notes field, type any notes that you want to include for this rule, and then Click Next.
    11. On the Rule Responses page, configure the responses that you want this rule to generate.
    12. Click Next.
    13. Click Finish.

    Modified: 2017-09-13