Add a Baseline in Advanced Mode
In Advanced Mode, a baseline allows you to compare current (most recent) behavior with past behavior to determine whether the current behavior is consistent. For example, you might use a baseline to compare a user's bank account balance within the past 24 hours with the daily balance over the past 30 days. If the behavior is inconsistent, it might indicate suspicious activity.
Note
To view or set up baselines, you must be in a group that has Baseline permission. For more information, see Manage Users.
When you create a baseline, LogicHub automatically sets up a stream with batches to generate the data for comparison. The comparison data becomes the history against which the current or most recent behavior is measured and scored. If the pattern of data in the history is within the baseline, the calculated score is low; if not, the score is high. (As with other scoring mechanisms, you can manually modify the computed score.)
Like an event type, a baseline is a mechanism for inputting data into a playbook. An event type specifies the external data source that supplies data to a playbook. A baseline specifies an external data source but also performs actions within the baseline playbook to generate the data for comparison.
An event type, a baseline, or both can be used to kick off the activity within a playbook. For example, if your playbook is intended to flag new suspicious account activity to report to the IRS, you might include a baseline that identifies unusual changes in account balances and also includes an event type that allows you to filter out information about accounts that are already known to be suspicious.
When setting up a baseline, you specify the number of batches to generate and the interval between the batches. Having more batches allows you to compare data over a longer period of time. For example, if normal activity varies over the course of a day, you may want your history to encompass multiple days. It's not necessary to wait for the batches to complete. If you are running baseline batches every hour over the course of several days, you can start seeing results before the several-day period is over. As more and more batches are executed, the score is automatically adjusted to reflect the accumulation of additional data.
Adding a baseline to a playbook involves two tasks:
- Create a baseline.
- Add the baseline to a playbook, modifying the default settings as needed.
Create a Baseline
When you create a baseline, it becomes available for use in any playbook that you create or is shared with you.
- Follow the process in Create a Playbook in Advanced Mode to create a playbook that defines the baseline. Give the playbook a meaningful name, and add the data source you want to use as the event type.
- Design the playbook with the calculations that you want to use for the baseline. In the following example, the playbook takes aggregate data on a user's bank accounts, calculates the balances of the user's Wells Fargo, Chase, and Bank of America accounts, aggregates them, and generates a final balance for the day.
- Select the step containing the result of the calculation (finalBalance in the example) and select Actions > Create Baseline.
A Create Baseline form opens up.
Enter the following details in the form. The specific settings depend on the options that you display and whether you're setting up a baseline for one playbook or using the Schedule option on the Playbooks page to set up a baseline for multiple playbooks at once.
| Field Name | Description |
|---|---|
| Baseline Name | Enter a name to identify the baseline. |
| Batch Length | Enter the time in minutes (or hours) between successive batch runs. When each batch runs, it collects the data for that interval, plus any overlap. If you selected multiple playbooks and want to specify a different batch length for each, click Customize for each playbook, select the interval for each, and click Done. |
| CRON | Click CRON to specify the run schedule. - Specify the frequency with a value and time units or click CRON to specify a schedule by the time of day. For help with cron syntax, use a formatter such as crontab guru. The cron scheduling is done in the UTC timezone. Any cron schedule you specify overrides the batch length-based scheduling. To use batch length-based scheduling, make sure that the cron field is empty. |
| Execution Delay | To delay the baseline execution for a set interval, enter the delay interval in minutes (or hours). |
| Number of Past Batches | Enter the number of past batches to preserve for comparison. |
| Auto Rerun | Select this option to automatically rerun the batches on error. |
| Pause on Error | Select this option to pause the baseline automatically when a batch fails with an error. |
The baseline is saved, and calculations begin to run as batches according to the specified interval (length of time between batches) and number of batches.
- To view the list of batches generated by the baseline, click the baseline that you created to see the list of batches.
The baseline is now available to be added to another playbook.
Add a Baseline to a Playbook
You can add a baseline that you have defined (or has been shared with you) to a playbook at any time.
- Create or edit a playbook in Advanced Mode.
- Click Source on the icon bar in the top-right of the page.
- Click the Baselines button and it loads a list of baselines.
- Select the baseline to add to the playbook, and click Add. (You can select multiple baselines to add them at the same time.)
The baseline is added to the playbook. It appears as a 4-step component.
- The top step is the root of the baseline.
- The middle left step is the current batch against which you want to compare the baseline. For example, the following figure shows that the middle left step is filtering a baseline table for the most recent batch (indicated by -1 in the query).
- The middle right step is the series of batches that make up the baseline. For example, the following figure shows that the middle right step is filtering a baseline table for the last 30 batches (indicated by -30 in the query).
You can modify the queries for the elements in the baseline, if needed, and continue to build your playbook. In the following example, an event type is added so that known suspicious accounts can be filtered out from the account balance analysis.
Auto Rerun
Select this option to schedule an automatic rerun of the batches on error. By default, the max rerun is set as 3. You can choose to increase or decrease the number of reruns as needed.
Note
By default, the wait time to rerun the batch is 4 minutes.
Example: In case of batch error, you can choose to schedule a rerun of the batch. Before the batch runs, the batch will wait for 4 minutes before executing the first automatic rerun, then the batch will again wait for 4 minutes and then rerun the second one and it continues until the number of reruns is set.
Pause on Error
Selecting this option automatically pauses the stream when a batch fails on an error and the status of the stream will change to Auto-paused. You can select the stream and resume at any point in time by clicking on Resume on the streams page.
Updated 6 months ago