This topic describes how to add an existing baseline to a playbook in Easy Mode. To create a baseline, use Advanced Mode.
A baseline is a set of behavioral data that serves as a reference for establishing normal IT activities, making it easier for security analysts to identify anomalies that indicate the presence of threats.
For example, you might use a baseline to compare a user's bank account balance within the past 24 hours with the daily balance over the past 30 days. If the behavior is inconsistent, it might indicate suspicious activity.
When you create a baseline, LogicHub automatically sets up a stream with batches to generate the data for comparison. The comparison data becomes the history against which the current or most recent behavior is measured and scored. If the pattern of data in the history is within the baseline, the calculated score is low; if not, the score is high. (As with other scoring mechanisms, you can manually modify the computed score.)
Like an event type, a baseline is a mechanism for inputting data into a playbook. An event type specifies the external data source that supplies data to a playbook. A baseline specifies an external data source but also performs actions within the baseline playbook to generate the data for comparison. A baseline can be added only at the beginning of a playbook.
An event type, a baseline, or both can be used to kick off the activity within a playbook. For example, if your playbook is intended to flag new suspicious account activity to report to the IRS, you might include a baseline that identifies unusual changes in account balances and also include an event type that allows you to filter out information about accounts that are already known to be suspicious.
When setting up a baseline, you specify the number of batches to generate and the interval between the batches. Having more batches allows you to compare data over a longer period of time. For example, if normal activity varies over the course of a day, you may want your history to encompass multiple days. It's not necessary to wait for the batches to complete. If you are running baseline batches every hour over the course of several days, you can start seeing results before the several-day period is over. As more and more batches are executed, the score is automatically adjusted to reflect the accumulation of additional data.
To add a baseline in Easy Mode:
- If the baseline doesn't already exist, create it in Advanced Mode.
- Create a new playbook in Easy Mode or edit an existing one.
- In the playbook editor, hover over the Start step and click +.
- Under ‘What do you want to automate?’, find and select the Get Data from Baseline automation. If you click + for another step, a message indicates that the baseline must be added at the beginning and gives you the option to add it under Start.
- Select the baseline you want to collect data from.
- To set times for the baseline, click Show Optional Fields. You can specify offset times or specific times.
- Click Run.
The baseline is added to the playbook and executed according to the schedule you specified.
Updated over 1 year ago