Alerts in BeyondInsight Clarity Analytics

There are two types of alerts:

  • Pattern: Determined by correlation of all characteristics of an event.
  • Explicit: Determined by selected specific characteristics.
Alert Type Description
a1 pattern

Maps all characteristics of an event into a single internal cluster using self-organizing maps clustering. Similar event characteristics lead to the same cluster. Thus, clusters with high share of mapped events represent typical behavior, while clusters with small number of events indicate outliers. Each user, host, or asset's characteristics are tracked independently with independent sets of clusters.

Clusters are hidden and are used only for analysis. They do not behave the same as asset clusters.

Used characteristics:

  • Endpoint Privilege Management events, per user: EventType, Exercised privilege, Path, Asset, Launch weekday and time
  • Privilege Management for Unix & Linux events, per RunHost: RunCommand, RunCWD, PBLUUser, Policy Server, SubmitHost, FinishStatus, Launch weekday and time, Accept, RiskLevel
  • Vulnerability events, per Asset: Vulnerability type, Risk
  • Attack events, per Asset: Attack type, Category
a2 explicit

Untrusted Application

Default value: 0.33

  • If the application is unsigned, then value = value + 0.33
  • If application has no version information, then value = value + 0.33
a5 explicit

Event Timing

Event time within working hours and weekday

Default value: 0.33

  • If EventTime < WorkingHoursStart or EventTime > WorkingHoursEnd, then value = value + 0.33
  • If EventDay is in WorkingWeekDaysMask, then value = value + 0.33
a6 explicit

Untrusted User

Default value: 0.33

  • If user is local (not domain) user, then value = value + 0.33
  • If user is administrator, then value = value + 0.33
a7 explicit

First App Launch

The alert is flagged when a user launches an application they have never launched before.

a8 explicit

First request for given managed account and system (Password Safe).

The alert is flagged when a user request password for account and system have never requested before.

a9 explicit

Unusual password releases (Password Safe)

The alert is flagged when a user does not retrieve the password for approved request or the password is retrieved more than once.

a10 explicit

Concurrent password requests (Password Safe).

The alert is flagged when a user tries to acquire more than one password at a time.