Analytic
analytic
The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Category | category | String | The analytic category. | ||
| Description | desc | String | The description of the analytic that generated the finding. | ||
| Name | name | String | The name of the analytic that generated the finding. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Related Analytics | related_analytics | Analytic |
Other analytics related to this analytic.
Deprecated since 1.0.0: Related Analytics has been decoupled from this object, instead use |
||
| Type | type | String | The analytic type. | ||
| Type ID | type_id | Integer |
The analytic type ID.
|
||
| Unique ID | uid | String | The unique identifier of the analytic that generated the finding. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Version | version | String |
The analytic version. For example: 1.1.
|
Referenced By
Context
JSON
{
"caption": "Analytic",
"name": "analytic",
"description": "The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.",
"extends": "_entity",
"attributes": {
"category": {
"description": "The analytic category.",
"requirement": "optional",
"caption": "Category",
"type": "string_t"
},
"desc": {
"description": "The description of the analytic that generated the finding.",
"requirement": "optional",
"caption": "Description",
"type": "string_t"
},
"name": {
"description": "The name of the analytic that generated the finding.",
"requirement": "recommended",
"caption": "Name",
"type": "string_t"
},
"related_analytics": {
"@deprecated": {
"message": "Related Analytics has been decoupled from this object, instead use <code>finding_info.related_analytics</code>.",
"since": "1.0.0"
},
"description": "Other analytics related to this analytic.",
"requirement": "optional",
"caption": "Related Analytics",
"type": "analytic",
"is_array": true
},
"type": {
"description": "The analytic type.",
"requirement": "optional",
"caption": "Type",
"type": "string_t"
},
"type_id": {
"description": "The analytic type ID.",
"requirement": "required",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is unknown."
},
"1": {
"caption": "Rule",
"description": "A Rule in security analytics refers to predefined criteria or conditions set to monitor, alert, or enforce policies, playing a crucial role in access control, threat detection, and regulatory compliance across security systems."
},
"2": {
"caption": "Behavioral",
"description": "Behavioral analytics focus on monitoring and analyzing user or system actions to identify deviations from established patterns, aiding in the detection of insider threats, fraud, and advanced persistent threats (APTs)."
},
"3": {
"caption": "Statistical",
"description": "Statistical analytics pertains to analyzing data patterns and anomalies using statistical models to predict, detect, and respond to potential threats, enhancing overall security posture through informed decision-making."
},
"4": {
"caption": "Learning (ML/DL)",
"description": "Learning (ML/DL) encompasses techniques that can \"learn\" from known data to create analytics that generalize to new data. There may be a statistical component to these techniques, but it is not a requirement."
},
"5": {
"caption": "Fingerprinting",
"description": "Fingerprinting is the technique of collecting detailed system data, including software versions and configurations, to enhance threat detection, data loss prevention (DLP), and endpoint detection and response (EDR) capabilities."
},
"6": {
"caption": "Tagging",
"description": "Tagging refers to the practice of assigning labels or identifiers to data, users, assets, or activities to monitor, control access, and facilitate incident response across various security domains such as DLP and EDR."
},
"7": {
"caption": "Keyword Match",
"description": "Keyword Match involves scanning content for specific terms to identify sensitive information, potential threats, or policy violations, aiding in DLP and compliance monitoring."
},
"8": {
"caption": "Regular Expressions",
"description": "Regular Expressions are used to define complex search patterns for identifying, validating, and extracting specific data sets or threats within digital content, enhancing DLP, EDR, and threat detection mechanisms."
},
"9": {
"caption": "Exact Data Match",
"description": "Exact Data Match is a precise comparison technique used to detect the unauthorized use or exposure of specific, sensitive information, crucial for enforcing DLP policies and protecting against data breaches."
},
"10": {
"caption": "Partial Data Match",
"description": "Partial Data Match involves identifying instances where segments of sensitive information or patterns match, facilitating nuanced DLP and threat detection without requiring complete data conformity."
},
"11": {
"caption": "Indexed Data Match",
"description": "Indexed Data Match refers to comparing content against a pre-compiled index of sensitive information to efficiently detect and prevent unauthorized access or breaches, streamlining DLP and compliance efforts."
},
"99": {
"caption": "Other",
"description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
}
},
"caption": "Type ID",
"sibling": "type",
"type": "integer_t"
},
"uid": {
"description": "The unique identifier of the analytic that generated the finding.",
"requirement": "recommended",
"caption": "Unique ID",
"type": "string_t"
},
"version": {
"description": "The analytic version. For example: <code>1.1</code>.",
"requirement": "optional",
"caption": "Version",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"constraints": {
"at_least_one": [
"name",
"uid"
]
}
}