Document toolboxDocument toolbox

Add a baseline to a Playbook

Introduction

A baseline is a set of behavioral data that serves as a reference for establishing normal IT activities, making it easier for security analysts to identify anomalies that indicate the presence of threats. In Advanced Mode, a baseline allows you to compare current (most recent) behavior with past behavior to determine whether the current behavior is consistent.
For example, you might use a baseline to compare a user's bank account balance within the past 24 hours with the daily balance over the past 30 days. If the behavior is inconsistent, it might indicate suspicious activity.

To view or set up baselines, you must be in a group that has baseline permission.

Like an event type, a baseline is a mechanism for inputting data into a playbook. An event type specifies the external data source that supplies data to a playbook. A baseline specifies an external data source but also performs actions within the baseline playbook to generate the data for comparison.

An event type, a baseline, or both can be used to kick off the activity within a playbook. For example, if your playbook is intended to flag new suspicious account activity to report to the IRS, you might include a baseline that identifies unusual changes in account balances and also includes an event type that allows you to filter out information about accounts that are already known to be suspicious.

When you create a baseline, Devo SOAR automatically sets up a stream with batches to generate the data for comparison. The comparison data becomes the history against which the current or most recent behavior is measured and scored. If the pattern of data in the history is within the baseline, the calculated score is low; if not, the score is high. As with other scoring mechanisms, you can manually modify the computed score.

When setting up a baseline, you specify the number of batches to generate and the interval between the batches. Having more batches allows you to compare data over a longer period of time. For example, if normal activity varies over the course of a day, you may want your history to encompass multiple days. It's not necessary to wait for the batches to complete. If you are running baseline batches every hour over the course of several days, you can start seeing results before the several-day period is over. As more and more batches are executed, the score is automatically adjusted to reflect the accumulation of additional data.

Create a Baseline

When you create a baseline, it becomes available for use in any playbook that you create or is shared with you. You can only create a baseline in Playbook Advanced Mode.

Design the playbook with the calculations that you want to use for the baseline. In the following example, the playbook takes aggregate data on a user's bank accounts, calculates the balances of the user's Wells Fargo, Chase, and Bank of America accounts, aggregates them, and generates a final balance for the day.

Select the step containing the result of the calculation and Click + Actions drop-down menu to select Create Baseline.

Create Baseline form opens up

Enter the following details in the form. The specific settings depend on the options you display and whether you're setting up a baseline for one playbook or using the Schedule option on the Playbooks page to set up a baseline for multiple playbooks at once.

Field Name

Description

Field Name

Description

Baseline Name

Enter a name to identify the baseline.

Batch Length

Enter the time in minutes (or hours) between successive batch runs. When each batch runs, it collects the data for that interval, plus any overlap. If you selected multiple playbooks and want to specify a different batch length for each, click Customize for each playbook, select the interval for each, and click Done.

CRON

Click CRON to specify the run schedule.

  • Specify the frequency with a value and time units or click

CRON to specify a schedule by the time of day.
For help with cron syntax, use a formatter such as crontab guru. The cron scheduling is done in the UTC timezone. Any cron schedule you specify overrides the batch length-based scheduling. To use batch length-based scheduling, make sure that the cron field is empty.

Execution Delay

To delay the baseline execution for a set interval, enter the delay interval in minutes (or hours).

Auto Rerun

Select this option to automatically rerun the batches on error.

Correlations

Enable correlations between the data in pinned nodes

Auto Forward

Forward the results of this Stream to Destinations

Pause on Error

Select this option to pause the baseline automatically when a batch fails with an error.

The baseline is saved, and calculations begin to run as batches according to the specified interval (length of time between batches) and the number of batches.

To view the list of batches generated by the baseline, click the baseline that you created to see the list of batches.

The baseline is now available to be added to another playbook.

Add a baseline to Playbook in Advanced Mode

You can add a baseline that you have defined (or has been shared with you) to a playbook at any time.

  1. Create or edit a playbook in Advanced Mode.

  2. Click Source on the icon bar in the top-right of the page.

  3. Select the Baselines button and it loads a list of baselines.

  4. Select the baseline to add to the playbook, and click Add. You can select multiple baselines to add them at the same time.

The baseline is added to the playbook. It appears as a 4-step component.

  • The top step is the root of the baseline.

  • The middle left step is the current batch against which you want to compare the baseline. For example, the following figure shows that the middle left step is filtering a baseline table for the most recent batch (indicated by -1 in the query).

  • The middle right step is the series of batches that make up the baseline. For example, the following figure shows that the middle right step is filtering a baseline table for the last 30 batches (indicated by -30 in the query).

You can modify the queries for the elements in the baseline, if needed, and continue to build your playbook. In the following example, an event type is added so that known suspicious accounts can be filtered out from the account balance analysis.

Auto Rerun

Select this option to schedule an automatic rerun of the batches on error. By default, the max rerun is set as 3. You can choose to increase or decrease the number of reruns as needed.

By default, the wait time to rerun the batch is 4 minutes.
Example: In case of batch error, you can choose to schedule a rerun of the batch. Before the batch runs, the batch will wait for 4 minutes before executing the first automatic rerun, then the batch will again wait for 4 minutes and then rerun the second one and it continues until the number of reruns is set.

Correlations

Select this option to enable correlations between the data in pinned nodes

Auto Forward

Selecting this option automatically forward the results of this Stream to Destinations.

Pause on Error

Selecting this option automatically pauses the stream when a batch fails on an error and the status of the stream will change to Auto-paused. You can select the stream and resume at any point in time by clicking on Resume on the streams page.

Add a baseline to Playbook in Easy Mode

If the baseline doesn't already exist, create it in Advanced Mode.

Follow the process to create a playbook in easy mode or edit an existing one.

  1. In the playbook editor, hover over the Start step and click +.

  2. Under What do you want to automate?, find and select the Get Data from Baseline automation.

If you click + for another step, a message indicates "Get Data From Baseline" is a data source and hence can be only used at the beginning and gives you the option to add it under Start.

  1. Under the Select Baseline drop-down menu select the desired baseline you want to collect data from.

  2. To set times for the baseline, click Show Optional Fields. You can specify offset times or specific times.

  3. Click Run.

The baseline is added to the playbook and executed according to the schedule you specified.