Alerts in BeyondInsight Clarity Analytics

Maps all characteristics of an event into a single internal cluster using self-organizing maps clustering. Similar event characteristics lead to the same cluster. Thus, clusters with high share of mapped events represent typical behavior, while clusters with small number of events indicate outliers. Each user, host, or asset's characteristics are tracked independently with independent sets of clusters.

Clusters are hidden and are used only for analysis. They do not behave the same as asset clusters.

Used characteristics:

• Endpoint Privilege Management events, per user: EventType, Exercised privilege, Path, Asset, Launch weekday and time
• Privilege Management for Unix & Linux events, per RunHost: RunCommand, RunCWD, PBLUUser, Policy Server, SubmitHost, FinishStatus, Launch weekday and time, Accept, RiskLevel
• Vulnerability events, per Asset: Vulnerability type, Risk
• Attack events, per Asset: Attack type, Category

Event Timing

Event time within working hours and weekday

Default value: 0.33

• If EventTime < WorkingHoursStart or EventTime > WorkingHoursEnd, then value = value + 0.33
• If EventDay is in WorkingWeekDaysMask, then value = value + 0.33

First App Launch

The alert is flagged when a user launches an application they have never launched before.

Unusual password releases (Password Safe)

The alert is flagged when a user does not retrieve the password for approved request or the password is retrieved more than once.