Need help - how to detect abnormal User behaviour (sequence of actions) using Elastic ML (or other tools)?
For example - user can perform following actions:
Login
Read Patients List
Read Patient Info
Read Clinical Notes of Patient
Add Clinical Note to a Patient
Logout
(Nurse opened application, found a Patient, reviewed recent Clinical Noted and added a new one, then left the application)
I like to be able to automatically detect abnormal behaviour like
Login
Add Clinical Note to a Patient
Logout
Logout
Logout
(Suspicious user/bot was able to select Patient without viewing List of Patients and immediately added Clinical Note without viewing list of existing notes, plus hit Logout URL 3 times in a row)
There are many-many possible actions, different types of users (Nurse, Doctor, Personal Support Worker, Clinic Manager, etc.) users may also open multiply browser tabs, etc. User role is not recorded in events and different Clinics may have own roles
So like to automatically classify each user actions, group users with common sequences actions in groups and generate alert when User started behaving differently, then its group or itself.
Elastic's unsupervised anomaly detection jobs would be suitable for this use case. It can learn what the typical actions for a user are against a given page/url, and alert you when abnormal page interactions are detected.
However, you can also build sequence queries with EQL, and create detections on specific sequences of events (or mismatch of sequences).
If you wanted to look for something exactly like you described, you can create a sequence rule like:
sequence by user.name,source.ip with maxspan=1m
[ authentication where event.action:"login"]
[ any where event.action:"<action representing notes>"]
[ authentication where event.action:"logout"] with runs=3
You can build any sequence that you'd like to be alerted on.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.