Hello Everyone,
I would like to understand the meaning of below sentence which is found in description of curated detection rules.
"2 standard deviations away from the historical average, if the entity has a coefficient of variation < 0.1 and was observed for at least 9 of the last 30 days"
and also, please let me know how do i calculate the above using udm stats in siem search.
thanks for your help.
Kind Regards,
Hi @leodas,
Breaking this down:
"2 standard deviations away from the historical average": This refers to a common statistical method for identifying outliers. The historical average represents the typical behavior of the entity (e.g., a user, a file, or an IP address). Two standard deviations away from this average indicates a significant deviation from the norm.
"if the entity has a coefficient of variation < 0.1": The coefficient of variation (CV) measures the variability of data relative to its mean. A CV of less than 0.1 indicates that the data is relatively consistent. This condition ensures that the deviation from the average is not simply due to high variability in the entity's historical data.
"and was observed for at least 9 of the last 30 days": This condition ensures that the entity has been active. It helps to filter out false positives caused by short-term fluctuations or infrequent activity.
In summary, this rule triggers a detection when an entity's activity deviates significantly from its typical behavior, but only if the entity's data is relatively consistent and it has been active. This helps to identify truly anomalous activity and reduce false positives.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.