This screen contains all the alerts produced by the MOREAL Behavioural Clustering Engine. For a given IP, alerts generation is based on a clustering algorithm which detects suspicious behaviour by proximity and similarity with groups of other entities exhibiting a high occurrence of threat events. For more information, refer to the Behavioural Clustering technical article.
Activity is analysed in regular time periods (time windows), which are currently set to “1 hour” and “5 minutes”.
Currently the Behavioural Clustering component only analyzes log data from “syslog” (system logging data from firewalls and UTMs). Analysis for Netflow data is planned for inclusion in the next versions.
Sample Behavioural Clustering alerts.
The alert overview page provides extra information for the produced alert, such as the time and number of occurrences, the time of detection, the involved entities, any service affected and the criticality of the alert.
Example of a Behavioural Clustering alert
More specifically, the most important infromation is:
Finally, the MOREAL alert overview page provides links for navigating to views of the raw traffic and security events (button: “View relevant events”) as well as to the IP profile of the involved entity (button: “View IP Profile”).
A behavioural clustering alert includes, among other information, a title characterizing the type of alert and a message describing the reason an alert was triggered.
As can be clearly concluded from the title of the alert in the previous example, this is about the suspicious behaviour of a given IP.
The alert description can be interpreted as follows:
[IP: 10.0.143.79]: The first part enclosed in square brackets lists the involved entity (IP: 10.0.143.79) and – in specific behavioral clustering alerts – an extra attribute (currently “service”) which further specifies the type of activity that triggered this alert.
30.8% of IPs with similar traffic behavior were associated with threat events: The second part of the message describes the percentage of monitored entities associated with threat events that had similar traffic behavior with the above entity during the monitored time window.
Briefly, the MOREAL behavioural clustering engine models and “learns” the communication footprint of past threats and infected workstations. In that specific example, the communication footprint of this workstation (IP: 10.0.143.79) for the last hour (time window) matched the aggregate behaviour of a cluster of IPs, 31% of which had threatful activity.