Alert Type Model Summary

Use this topic for a high level summary of each alert type, whether it is based on Analytics or Machine Learning (and what type), and the training time required for each. Optionally, expand any alert name for more specifics on that alert type.

  • Machine Learning (ML): Stellar Cyber's powerful artificial intelligence system uses a variety of models to analyze data and may aggregate many alert logs to generate one Stellar Cyber alert.

    • Unsupervised ML  – Unsupervised models power the alert types that look for dissimilarities from normal patterns. These models learn the normal pattern within a certain customer environment, such as what application usage is normal for which users. Then, after that initial learning period, the alert types trigger when activity appears significantly different from the observed normal pattern. Similarly, a user observed using an anomalous application would result in a trigger of this alert type. Unsupervised Machine Learning is applicable when there is no clear identifier for what "bad" looks like.

    • Supervised ML  – Supervised models power the alert types that look for known bad patterns based on training performed on large scale datasets. An example of a bad pattern here is a recently registered domain used for data exfiltration. There are enough real world examples of this type of activity that a model can be constructed to identify it with a certain level of confidence. Supervised machine learning models require no customer training period because they are already "trained" and ready to be used. In summary, Supervised Machine Learning is used when there are clear identifiers for what "bad" looks like, but it is far too computationally complex for a simple "rule" to be used.

    For more details, refer to the overview of Machine Learning and the details for each alert type that may be produced in the Machine Learning pathway.

  • Analytics – These prediction results are based on security rules. These alert types leverage simple arithmetic or logic conditions instead of machine learning. For example, a Bad Reputation alert may trigger if a source IP has a reputation of "Bad Reputation". Another example could be looking for suspicious RDP activity that matches a certain process name. You can also use Stellar Cyber's Statistical Analysis engine to create your own Automated Threat Hunting rules. Additionally, you can configure external Threat Intelligence feeds which are reported as Emerging Threat alerts, although the data may contribute to other Machine Learning alerts.

Training Time

Certain ML models learn the data distribution in your network automatically but require two weeks of observing data to create an approximation of the real distribution. After that baseline, the model is automatically updated every 24 hours. Use the table below as a guide for which need to run in your environment for two weeks to begin reporting.

XDR Display Name

Model Type

Machine Learning Model Requires Two Weeks

Unsupervised

Y

Unsupervised

N

Unsupervised

Y

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y

Analytics

N

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Analytics

N

Unsupervised

Y

Unsupervised

Y

Supervised

N

Analytics

N

Supervised

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

N

Unsupervised+Analytics

N

Unsupervised

N

Analytics

N

Unsupervised

Y

Unsupervised

Y

Analytics

N

Unsupervised

Y

Unsupervised

Y

Unsupervised+Analytics

Y

Analytics

N

Unsupervised

Y

Analytics

N

Analytics

N

Unsupervised

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y

Analytics

N

Unsupervised

Y

Unsupervised

Y

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y

Analytics

N

Analytics

N

Supervised

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

N

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Unsupervised

N

Unsupervised

Y

Unsupervised

Y

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y

Unsupervised

N

Unsupervised+Analytics

N

Unsupervised

N

Analytics

N

Unsupervised

Y

Unsupervised

Y

Analytics

N

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Analytics

N

Unsupervised

Y

Analytics

N

Analytics

N

Unsupervised

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y

Analytics

N

Unsupervised

Y

Unsupervised

Y

Analytics

N

Unsupervised

Y

Analytics

N

Unsupervised

Y

Analytics

N

Analytics

N

Supervised

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

N

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Unsupervised

N

Unsupervised

Y

Unsupervised

Y

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y

Unsupervised

Y

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y

Analytics

N

Analytics

N

Unsupervised

Y

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Unsupervised

Y

Analytics

N

Analytics

N

Analytics

N

Unsupervised

Y