Behavior Profiles
Overview
A behavior profile is a dataset that records and stores user, process, or communication activity within a specific system or application.
Behavior profiles support stream and batch rules by identifying anomalies that deviate from typical user, process, or communication patterns. For example, by generating a behavior profile based on VPN access logs from the past year, the system can detect login attempts from dormant accounts or access from previously unseen IP address ranges in real-time. In fraud detection scenarios, it can flag fund transfers to accounts with no prior transaction history.
Behavior profiles are updated (built) periodically according to the configured schedule. During the update process, stream and batch detection rules continue to reference the existing behavior profile data until the update is complete.
Search Behavior Profile
You can view or search behavior profile under Policies > Behavior Profiles.
- Status: Availability status (Green: Available, Gray: Unavailable)
- Name: Behavior profile name
- Count: Number of records in the profile
- Build Interval: Frequency at which the profile query is executed to regenerate the data
- Build Status: Build state of the behavior profile (Pending/Building/Completed)
- Build: Toggle button to start or cancel a build.
- Owner: User account that created the behavior profile
- Build At: Timestamp of the last completed build
- Modified At: Creation date or last modification date of the behavior profile
To locate a specific behavior profile in the list, use the search tool in the toolbar. The search tool filters profiles based on keywords found in the Name and Description fields. The search is not case-sensitive.
Download Behavior Profile List
To download the behavior profile list as a file to your local PC, click Download in the toolbar.
Refresh Beahvior Profile List
To update the behavior profile list with the latest information, click Refresh in the toolbar.
Build Profile
Behavior profiles are automatically updated according to their build schedules. To update a profile immediately, click Build Now in the Build column of the behavior profile list.
The build process duration depends on the data size. For example, if a behavior profile logs VPN access data for the past year, scheduling updates during off-peak hours, such as late at night, is recommended to minimize system load.
Add Behavior Profile
To add a behavior profile:
-
Go to Policies > Behavior Profiles and click Add in the toolbar.
-
In the Add Behavior Profile screen, enter the required values and click OK.
- Name: Unique name for the behavior profile (up to 50 characters)
- Description: Detailed description of the profile (up to 2,000 characters)
- Build Schedule: Schedule for profile updates specified in CRON format (default: January 1st, 00:00)
- Key Field: Field name(s) used as a key for comparison in the behavior profile (up to 1,000 characters). To specify multiple fields, separate them with commas (,). For example, in a VPN login anomaly detection scenario, set the account name field (e.g.,
emp_key) as the key field. Once added, the key field cannot be changed. - Query Statement: Query string used to generate behavior profile data (up to 2,000 characters). Typically, queries should include
durationor a combination offromandtooptions to incorporate recent data. The query results must contain the key field, and its values must be unique within the behavior profile. For example, in a VPN access anomaly detection rule, the key fieldemp_keyshould not have duplicate records. Once added, the query statement cannot be modified. - Granted Users: List of user accounts with view and edit permissions for the behavior profile
- Granted Groups: List of user groups with view and edit permissions for the behavior profile
NoteOnly cluster administrators and administrators can build profiles or modify query statements for behavior profiles. Even if permissions are granted through group sharing, they are applied at the account level.
-
Click OK to complete the setup.
View Behavior Profile Data
Click the name of the behavior profile in the list to view its settings and corresponding data.
You can apply filters to refine the displayed data. To add a filter, click Add next to Filter.
Edit Behavior Profile
To edit a behavior profile:
- Click the name of the behavior profile in the list.
- In the Edit Behavior Profile screen, update the information and click OK.
- Refer to the Add Behavior Profile section for details on editable fields.
- Key field and Query statement cannot be modified. To change these, delete and recreate the behavior profile.
Using Behavior Profile
Scenario Builder
When adding or modifying a stream rule under Policies > Stream Rules, you can use the scenario builder to leverage behavior profiles. Ensure that the input field type and name match the behavior profile's key field type and name.
-->The following table outlines the behavior profile-related function available in the scenario builder. For more details, see Rules and Parameters by Field Type.
| Rule | Parameter | Range | Description |
|---|---|---|---|
| Other | Behavior profile | Select a behavior profile. | Filters values matching the behavior profile's key field. |
Query
When adding or modifying detection rules under Policies > Stream Rules or Policies > Batch Rules, you can use the matchbehavior command or matchbehavior() function to apply behavior profiles. Behavior profiles can also be used in any function that accepts query inputs.
To use the matchbehavior command or matchbehavior() function, you need to know the behavior profile’s GUID, which can be found in the browser’s address bar.
Delete Behavior Profile
To delete a behavior profile:
- Select the checkbox of the behavior profile(s) to delete in the list.
- Click Delete in the toolbar.
- In the Delete Behavior Profile dialog box, review the selected profiles and click Delete. To cancel, click Cancel.