This screen contains all the alerts produced by the MOREAL Behavioural Clustering Engine. For a given IP, alerts generation is based on a clustering algorithm which detects suspicious behaviour by proximity and similarity with groups of other entities exhibiting a high occurrence of threat events. For more information, refer to the Behavioural Clustering technical article.

Activity is analysed in regular time periods (time windows), which are currently set to “1 hour” and “5 minutes”.

Currently the Behavioural Clustering component only analyzes log data from “syslog” (system logging data from firewalls and UTMs). Analysis for Netflow data is planned for inclusion in the next versions.

Sample Behavioural Clustering alerts.

Alert overview page

The alert overview page provides extra information for the produced alert, such as the time and number of occurrences, the time of detection, the involved entities, any service affected and the criticality of the alert.

Example of a Behavioural Clustering alert

More specifically, the most important infromation is:

• A color-coded severity indicator based on a score computed from the confidence, the risk level and the collected evidence specific to this alert
• The organization and (sub-organization) the monitored entity belongs to
• An alert description which reports the involved IP and explains the reason an alert was raised
• Time window : The length of the time period that the measurements were recorded (either “1 hour” or “5 minutes”).
• Occurred at : The specific time window with the exact starting and ending time that the measurements were performed. The suspicious behaviour refers to this period.
• Detected at : The exact time when the Behavioural Clustering engine detected this potential threat.
• First notification : The exact time when MOREAL created this alert for the first time.
• Last notification : The exact time when MOREAL last updated this alert (if there are more than one occurrences of the same event).
• Threat Risk Indicator : A proprietary score by MOREAL indicating the risk level, confidence and the amount of evidence for raising the alert.
• Criticality : A more user-friendly label of the severity of this alert (low, medium, high, critical)

Finally, the MOREAL alert overview page provides links for navigating to views of the raw traffic and security events (button: “View relevant events”) as well as to the IP profile of the involved entity (button: “View IP Profile”).

How to interpret a Behavioural Clustering alert

A behavioural clustering alert includes, among other information, a title characterizing the type of alert and a message describing the reason an alert was triggered.

As can be clearly concluded from the title of the alert in the previous example, this is about the suspicious behaviour of a given IP.

The alert description can be interpreted as follows:

• [IP: 10.0.143.79] : The first part enclosed in square brackets lists the involved entity (IP: 10.0.143.79) and – in specific behavioral clustering alerts – an extra attribute (currently “service”) which further specifies the type of activity that triggered this alert.
• 30.8% of IPs with similar traffic behavior were associated with threat events : The second part of the message describes the percentage of monitored entities associated with threat events that had similar traffic behavior with the above entity during the monitored time window.

Briefly, the MOREAL behavioural clustering engine models and “learns” the communication footprint of past threats and infected workstations. In that specific example, the communication footprint of this workstation (IP: 10.0.143.79) for the last hour (time window) matched the aggregate behaviour of a cluster of IPs, 31% of which had threatful activity.