View Cluster Maps

This feature is deprecated for new installations of BeyondInsight 22.1 and future releases. Cluster Maps and Cluster Analysis are available only for BeyondInsight releases prior to 22.1 and if upgrading to 22.1 from previous releases.

A cluster map is a visual representation of the following cluster types.

  • Asset Cluster: Larger clusters indicate more assets sharing similar traits within an organization. Smaller clusters indicate a potential anomaly. Clusters groups include:
    • Launched applications
    • Vulnerabilities
    • Attacks
  • User Cluster: Represents Password Safe users that share similar characteristics in an organization.

Cluster Map Numbering

A cluster map number is randomly generated and does not have any meaning in the context of the actual data. However, the closer the cluster map numbers, the more similar the attributes of the assets to each other.

For example, assets assigned to cluster 14 and cluster 16 would have similar qualities. However, assets assigned to cluster 14 and cluster 68 would have fewer qualities in common.

The cluster map numbers can change at any time, but this does not reflect on the assets or any potential anomalies that might exist.

Cluster Shading

Asset

Shading is based on the Asset Risk, Attacks, Vulnerability app value. The Cluster Map uses the highest of the three, and the gradient is based on a range from 0.0 to 1.0.

User

Shading is based on the User Risk attribute for Password Safe users.

Asset Cluster Attributes

There are eight cluster attributes organized in the following categories:

  • Ordering attributes: Attributes are ordered from low to high.
  • Pattern attributes: A pattern value maps a set of characteristics to a single value (in the range 0 – 1). The difference in pattern values shows similarities between different sets of the same type characteristics.
Attribute Type Description
Attacks Ordering Number of detected attacks. Greater value means more detected attacks.
Vulnerable Apps Ordering Number of launches of vulnerable applications. Greater value means more started/running vulnerable applications.
Risk Ordering Asset risk. Greater value means greater risk.
App Set Ordering Running or/and elevated (depends on Privilege Management for Windows Servers) applications.
Vulnerabilities Set Pattern Discovered vulnerabilities.
Service Set Pattern Services
Software Set Pattern Installed software packages.
Port Set Pattern Opened ports.

User Cluster Attributes

Attribute Type Description
SharedSysAssetRisk Ordering Number of blocked commands in a Password Safe session, corresponds to block, block+lock, lock, and terminate command triggers.
SharedSysDenied Ordering Number of denied session requests.
SharedUsrRisk Ordering Maximum risk on an access policy associated with the user.
SharedSysSet Pattern Machines a user can access.
SharedSysVulnSet Pattern Vulnerabilities for machines a user can access.
SharedSysSrvSet Pattern Services for machines a user can access.
SharedSysSoftSet Pattern Software installed for machines a user can access.
SharedSysPortSet Pattern Ports for machines a user can access.

Analyze Cluster Maps

You must configure settings in BeyondInsight before any data is collected.

The following procedure shows examples from asset clusters. The procedure and analysis is similar for user clusters.

  1. From the menu, select Cluster Analysis. By default, the Cluster Map tab is selected.
  2. Select one of the following tabs to analyze cluster map data:
    • Asset Counts: Clusters the assets with similar characteristics. The smaller the cluster tile, the more likely there is an outlier.
    • Cluster Risk: Clusters the assets based on the common risk characteristics. The larger tiles in the cluster map have the greater risk.
    • Attacks: Clusters assets based on the common attack properties. The larger tiles indicate a greater attack level. Drill down to learn more about the assets and the attack data.
    • Vulnerable Apps: Clusters the assets by the similar installed vulnerable applications. The larger tiles indicate a greater threat as a result of installed vulnerable applications on the assets.
  3. Hover over the tile to display a summary of the event data.
  4. Double-click a cluster to view more detail, and click the tabs to view more information.

For more information, please see Configure BeyondInsight Clarity Analytics.

Analyze Cluster Grids

Some key tips to keep in mind when analyzing threat conditions in your Clarity results data:

  • Sort clusters by ordering attributes, such as Vulnerable Apps, Attacks, or Risk.
  • Potential outliers could be clusters with a small number of members and greater ordering attributes.
  • For outliers, review the pattern attributes to identify if the outliers have a unique or a different set of running applications, vulnerabilities, services, software, or ports.

To view the cluster grid, follow the steps.

  1. From the menu, select Cluster Analysis.
  2. Click the Grid View icon.
  3. To review asset details for a cluster, double-click the row.