View Cluster Maps
A cluster map is a visual representation of the following cluster types.
- Asset Cluster: Larger clusters indicate more assets sharing similar traits within an organization. Smaller clusters indicate a potential anomaly. Clusters groups include:
- Launched applications
- User Cluster: Represents Password Safe users that share similar characteristics in an organization.
Cluster Map Numbering
A cluster map number is randomly generated and does not have any meaning in the context of the actual data. However, the closer the cluster map numbers, the more similar the attributes of the assets to each other.
For example, assets assigned to cluster 14 and cluster 16 would have similar qualities. However, assets assigned to cluster 14 and cluster 68 would have fewer qualities in common.
The cluster map numbers can change at any time, but this does not reflect on the assets or any potential anomalies that might exist.
Shading is based on the Asset Risk, Attacks, Vulnerability app value. The Cluster Map uses the highest of the three, and the gradient is based on a range from 0.0 to 1.0.
Shading is based on the User Risk attribute for Password Safe users.
Asset Cluster Attributes
There are eight cluster attributes organized in the following categories:
- Ordering attributes: Attributes are ordered from low to high.
- Pattern attributes: A pattern value maps a set of characteristics to a single value (in the range 0 – 1). The difference in pattern values shows similarities between different sets of the same type characteristics.
|Attacks||Ordering||Number of detected attacks. Greater value means more detected attacks.|
|Vulnerable Apps||Ordering||Number of launches of vulnerable applications. Greater value means more started/running vulnerable applications.|
|Risk||Ordering||Asset risk. Greater value means greater risk.|
|App Set||Ordering||Running or/and elevated (depends on Privilege Management for Windows Servers) applications.|
|Vulnerabilities Set||Pattern||Discovered vulnerabilities.|
|Software Set||Pattern||Installed software packages.|
|Port Set||Pattern||Opened ports.|
User Cluster Attributes
|SharedSysAssetRisk||Ordering||Number of blocked commands in a Password Safe session, corresponds to block, block+lock, lock, and terminate command triggers.|
|SharedSysDenied||Ordering||Number of denied session requests.|
|SharedUsrRisk||Ordering||Maximum risk on an access policy associated with the user.|
|SharedSysSet||Pattern||Machines a user can access.|
|SharedSysVulnSet||Pattern||Vulnerabilities for machines a user can access.|
|SharedSysSrvSet||Pattern||Services for machines a user can access.|
|SharedSysSoftSet||Pattern||Software installed for machines a user can access.|
|SharedSysPortSet||Pattern||Ports for machines a user can access.|
Analyze Cluster Maps
You must configure settings in BeyondInsight before any data is collected.
The following procedure shows examples from asset clusters. The procedure and analysis is similiar for user clusters.
- From the menu, select Cluster Analysis. By default, the Cluster Map tab is selected.
- Select one of the following tabs to analyze cluster map data:
- Asset Counts: Clusters the assets with similar characteristics. The smaller the cluster tile, the more likely there is an outlier.
- Cluster Risk: Clusters the assets based on the common risk characteristics. The larger tiles in the cluster map have the greater risk.
- Attacks: Clusters assets based on the common attack properties. The larger tiles indicate a greater attack level. Drill down to learn more about the assets and the attack data.
- Vulnerable Applications: Clusters the assets by the similar installed vulnerable applications. The larger tiles indicate a greater threat as a result of installed vulnerable applications on the assets.
- Hover over the tile to display a summary of the event data.
- Double-click a cluster to view more detail, and click the tabs to view more information.
For more information, please see BeyondInsight Clarity Analytics.
Analyze Cluster Grids
Some key tips to keep in mind when analyzing threat conditions in your Clarity results data:
- Sort clusters by ordering attributes, such as Vulnerable Apps, Attacks, or Risk.
- Potential outliers could be clusters with a small number of members and greater ordering attributes.
- For outliers, review the pattern attributes to identify if the outliers have a unique or a different set of running applications, vulnerabilities, services, software, or ports.
To view the cluster grid, follow the steps.
- From the menu, select Cluster Analysis.
- Click the Grid View icon.
- To review asset details for a cluster, double-click the row.