When you build the model, the feature aggregates events from the Events table by IP address, day of week, and hour of day for each five-minute time increment, and then calculates a sum for EventCount, BytesIn, and BytesOut. Outlier Analytics then creates conditional probability tables for sum of EventCount, sum of BytesIn, and sum of BytesOut.
Review the considerations for building a model.
Select Configuration > Outlier.
For Create Model Configuration, specify the criteria that you want to use for building the model.
For example:
To define a specific subnet that represents a specific class of equipment (like server or data center), specify criteria similar to the following:
sourceAddress in subnet 10.1.1.0/24
To model outbound HTTP/HTTPS traffic, specify criteria similar to the following:
destinationPort = 80,443
To name the model, type over Model Name.
The model name can contain letters, numbers, and underscores only. The name must start with an alpha character and cannot exceed 19 characters.
Specify a time range for the model.
Because of assumptions about the hours and days that comprise a model, do not specify a range that includes a shift in Daylight Savings Time.
Select Create.
The created model appears in the Available Models table with a status of Created.
From the Available Models table, select the model that you want to build.
You can build only one model at a time.
Select Build.
To evaluate incoming events against the model, you must start the scoring process.