Creating Abstract Analytics

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 22 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hello, and welcome to Lesson
00:00
2.7: Creating Abstract Analytics.
00:00
In this lesson, we'll describe the purpose of
00:00
and how to develop abstract analytics.
00:00
As we've seen, hypotheses are written in simple,
00:00
straightforward language that is helpful at
00:00
the start of this process for
00:00
freedom of expression and thinking.
00:00
An abstract analytic can also be written this way.
00:00
Or it could incorporate
00:00
some elements of pseudocode that can help
00:00
structure our thinking more and more clearly
00:00
describe the detailed conditions
00:00
that would trigger an alert.
00:00
In our burglary example,
00:00
to alert on a break-in,
00:00
we can convert our hypothesis into
00:00
an abstract analytic that requires
00:00
both conditions of a door opening
00:00
and the door lock big extended for detection.
00:00
It is up to you to decide how
00:00
formal you would like to be at this stage.
00:00
If you are very familiar with
00:00
a particular data model or
00:00
syntax and confident with the logic,
00:00
you could write the actual query syntax,
00:00
but you don't need to.
00:00
In fact, it may be
00:00
better to remain more abstract at this point,
00:00
given the relative immaturity of our
00:00
thinking about this analytic approach.
00:00
Next, we'll take a look at a couple of
00:00
abstract analytic examples associated
00:00
with our refined hypotheses.
00:00
In the first example,
00:00
we've chosen to keep the syntax
00:00
fluid at more informal by sticking to
00:00
natural language while incorporating
00:00
specific details relative to the hypothesis itself.
00:00
The second example uses a slightly more formal syntax.
00:00
The first example is more open and
00:00
easier to think through and modify,
00:00
while the second will probably
00:00
help us think through logic more clearly
00:00
and facilitate an easier translation
00:00
to a concrete analytic later in this methodology.
00:00
Our next example, derived from
00:00
the remote task scheduling hypothesis uses
00:00
specific conditions in the abstract analytic and even
00:00
starts to suggest some data collection requirements
00:00
and log field names.
00:00
It's maybe premature and assuming how we
00:00
will construct the final logic of the query.
00:00
Here's our final example,
00:00
which is running a task as a specified user.
00:00
In our local task scheduling example,
00:00
we actually use the file creation condition
00:00
that was derived from the car data model.
00:00
In this example, we've invented
00:00
accustomed task schedule event
00:00
that is not in the car data model and
00:00
so is less restrictive in that regard,
00:00
but maybe more difficult to translate
00:00
into an actual data collection requirement.
00:00
To summarize, developing abstract analytics is
00:00
a flexible process that relies
00:00
heavily on a strong hypothesis as a basis,
00:00
and his highly tolerable to the analyst.
Up Next