Web Activity event normality ratings are incorrect in the Analyzer
Article ID: 210528
Updated On:
Products
Issue/Introduction
When comparing the normality rating of a Web Activity event as displayed on its event detail page to its normality rating as displayed in the Analyzer, the ratings do not match.
Environment
Release : 6.5.x
Component : Analyzer
Cause
The discrepancy between a Web Activity event's normality rating on the event detail page in the console and in the Analyzer is caused by an incorrect scores-to-ratings mapping in the function fnLDW_WebActivityBehaviorDim, which is used to populate the Analyzer cubes during the nightly RiskFabric Processing job.
The function currently maps scores as follows:
| Normality Score | Normality Rating |
| 0 to 5 | Very Unusual |
| 6 to 20 | Unusual |
| 21 to 50 | Normal |
| 51 to 100 | Highly Consistent |
The correct range in the Analyzer should be the following:
| Normality Score | Normality Rating |
| 0 to 5 | Very Unusual |
| 6 to 40 | Unusual |
| 41 to 94 | Normal |
| 95 to 100 | Highly Consistent |
Resolution
As a workaround, any cube views created in the Analyzer (Event Scenario, Entity Collection, Risk Vector, etc.) that are currently configured to use the Web Activity Normality Rating field as a criteria should be modified to use the Web Activity Normality Rating Score.
A fix for this issue will be included in the next release of ICA.
Feedback
