Process Anomalies Details Page

The Process Anomalies Details page displays information about a specific anomaly detected by F5 Distributed Cloud App Infrastructure Protection (AIP) with threatML.

ProcessAnomaliesDetailsPage.png

Process Anomaly Summary section

The Process Anomaly Summary section contains specific details about the process detected as anomalous for your infrastructure.

ProcessAnomalySummarySection.png

  1. Actions drop-down menu – Click the drop-down menu to do one of the following:
    • Create Rule – Click this option to open the Create Rule dialog. If the anomaly completely matches an active Rule, then the Edit Rule dialog displays instead.
    • View Similar Events – Click this option to open the Events tab and display a list of events similar to this one. At least one event displays.
  2. Process NameThe name of the process for which an anomaly was detected.
  3. Assessed – The date on which the anomaly was detected.
  4. Time RangeThe length of time during which the process executed.
  5. Max User Anomaly ScoreThe highest anomaly score among all users who executed the process. A higher score indicates a greater degree abnormality, while a lower score indicates a lesser degree of abnormality.
  6. User CountThe number users who executed the process.
  7. Events Matched to Rule – The percentage of contributing Distributed Cloud AIP events that match an active Rule. Options include:
    • 100.0%The percentage of discovered anomalies in which the contributing events completely match an active Rule in your Distributed Cloud AIP organization.
    • 99.9 – 0.1%The percentage of discovered anomalies in which at least one, but not all, contributing events match an active Rule in your Distributed Cloud AIP organization.
    • 0.0% – The percentage of discovered anomalies in which no contributing events matched any active Rule in your Distributed Cloud AIP organization.
  8. Organization Anomaly Score – How atypical the process is compared to all other processes executed in your infrastructure. A higher score indicates a greater degree abnormality, while a lower score indicates a lesser degree of abnormality.
  9. Server Count – The number on servers on which the process executed.
  10. Informational message – The message contains the reason why this process was flagged as anomalous in your infrastructure.

Process Occurrences Over Assessed 24 Hours section

The Process Occurrences Over Assessed 24 Hours section displays each time the anomaly occurred over the previous 24 hours. Select a red bar to display both the time and the total number of anomalies detected at that time. The time range is in UTC.

BarGraph.png

Observed Servers section

The Observed Servers section contains the list of Distributed Cloud AIP monitored servers on which the process was observed.

ObservedServers.png

  1. Server Name column – The name of the server on which the process was observed. Click the name link to view the server on the Servers page.
  2. Occurrences column – The number of times which the process executed on the server.
  3. Actions drop-down menu – Click the drop-down menu to do one of the following:
    • View Similar EventsClick this option to open the Events tab and display a list of events similar to this one. At least one event displays.
  4. Page controls – If the list contains more than one page, then click these buttons to go forward or backward the pages of the list.

Observed Users section

The Observed Users section contains the list of Distributed Cloud AIP users who executed the process.

ObservedUsers.png

  1. User column – The name of the Distributed Cloud AIP user who executed the process.
  2. Occurrences column – The number of times which the user executed the process.
  3. Anomaly Score column – How atypical it is for the user to execute the process. A higher score indicates a greater degree abnormality, while a lower score indicates a lesser degree of abnormality.
  4. Actions drop-down menu – Click the drop-down menu to do one of the following:
    • Create RuleClick this option to open the Create Rule dialog. If the anomaly completely matches an active Rule, then the Edit Rule dialog displays instead.
    • View Similar EventsClick this option to open the Events tab and display a list of events similar to this one. At least one event displays.
  5. Page controls – If the list contains more than one page, then click these buttons to go forward or backward the pages of the list. 

Matched Rules section

The Matched Rules section contains a list of active Rules in your infrastructure that match one or more contributing events for the process. If no contributing events match an active Rule, then this section is blank.

MatchedRules.png

  1. Rule Name column – The name of the active Rule matched by one or more contributing events for the process. Click the Rule name link to open the Edit Rule dialog.
  2. Occurrences column – The number of times which a contributing event matched an active Rule.
  3. Severity column – The severity level of matched active Rule. Options are:
    • 1 (highest)
    • 2
    • 3
  4. Page controls – If the list contains more than one page, then click these buttons to go forward or backward the pages of the list.

Additional Information

Introduction to threatML

ThreatML Data Models

ThreatML Anomalies Widget

Overview: threatML Features

Slack Integration for ThreatML

Was this article helpful?
0 out of 0 found this helpful