Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

The supervisedScorer operator predicts the user score when you define the lhub_score.

When you have multiple tables that contain lhub_scores, it must be combined and assigned a final score, where the final score is a combination of manual scoring using machine learning models.

supervisedScorer combine tables using autojoin operator by selecting distinct rows. You can manually assign scores for 2 rows and update the table, the rest of the rows will be updated with the final score automatically.
For example, if the predictor assigns a score of 6 but in the rules, we assigned 9, the final result will be 9.

Operator Usage in Easy Mode

  1. Click + on the parent node.
  2. Enter the Supervised Scorer operator in the search field and select the operator from the Results to open the operator form.
  3. In the Table drop-down, enter or select a table to apply the operator.
  4. Click Run to view the result.
  5. Click Save to add the operator to the playbook.
  6. Click Cancel to discard the operator form.

Usage Details

LQL Command

supervisedScorer(tables:TableReference[])

Input
TableReference - List of input tables that contain lhub_scores.

Output
A scored table where each row is scored based on the model that was learned from all previous manually assigned scores. It will return lhub_score, mindistToRule (closest distance to ruleset), isFromRuleset (boolean), and score columns from tables.

Example

InputTable = userScore

InputTable = ipScore

InputTable = bytesScore

Output

When you combine the multiple input tables that contain lhub_score in all parent nodes i.e. userScore, ipScore, and bytesScore, the columns will be replaced by the final table name itself.

LQL Command

supervisedScorer([userScore, ipScore, bytesScore])

Here, 3 new columns added i.e. lhub_score, isFromRuleset, and mindistToRule.

Initially, all lhub_score in the output table will be "-" where you can assign any value 0 - 10 to that specific row.
When you assign lhub_score for 2 or more rows, the operator will train a model and predict the scores for the rest of the events and will assign new scores to unscored ones based on the input columns defined.

  • No labels