Web Activity event normality ratings are incorrect in the Analyzer

book

Article ID: 210528

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

When comparing the normality rating of a Web Activity event as displayed on its event detail page to its normality rating as displayed in the Analyzer, the ratings do not match.

Cause

The discrepancy between a Web Activity event's normality rating on the event detail page in the console and in the Analyzer is caused by an incorrect scores-to-ratings mapping in the function fnLDW_WebActivityBehaviorDim, which is used to populate the Analyzer cubes during the nightly RiskFabric Processing job.

The function currently maps scores as follows:

Normality Score Normality Rating
0 to 5 Very Unusual
6 to 20 Unusual
21 to 50 Normal
51 to 100 Highly Consistent

The correct range in the Analyzer should be the following:

Normality Score Normality Rating
0 to 5 Very Unusual
6 to 40 Unusual
41 to 94 Normal
95 to 100 Highly Consistent

 

Environment

Release : 6.5.x

Component : Analyzer

Resolution

As a workaround, any cube views created in the Analyzer (Event Scenario, Entity Collection, Risk Vector, etc.) that are currently configured to use the Web Activity Normality Rating field as a criteria should be modified to use the Web Activity Normality Rating Score.

A fix for this issue will be included in the next release of ICA.