Skip to main content

Behavior Timeline

Login to the Fluency Cloud portal: https://(companyname)

Open the main dropdown menu and choose the Behavior Timeline option under the EventWarch section.

The Behavior Timeline page displays instances where behavior models were triggered. When creating a behavior model, there is a checkbox to indicate whether an event should appear on the behavior timeline when triggered by the rule. The chart at the top of the page indicates the total RiskScore at any time over the search window.

The facet on the left side can be used to filter events. There are six fields associated with a behavior rule that can be used for search filters: key, key type, behavior rule, behavior, score level and risks.

Clicking on the magnifying glass icon of each record redirects you to the Events Search page (Data Lake -> Events Search) and conducts a search using the name of the behavior alert and the alert's key as the search parameters. Refer to Investigating a Behavior Alert to see what you can do on the Events Search page.

In the figure below, the first value in the header is the name of the behavior model that triggered the alert. Beside this is the behavior type. In the middle of the header, the key is displayed (in this case, it's "asset"), followed by the score associated with the alert. Below this are the risks that were triggered, in addition to their descriptions and values (click the table to expand). Clicking the blue icon in the corner of the table opens the JSON data associated with the event.

Click the "Actions" button to open a menu with options for configuring different actions for this alert. Actions allow a user to set up a method of notification when certain alerts or behaviors are triggered. Clicking one of these options will redirect you to a configuration page for the indicated action option.

To the right of the "Actions" button, there's also a "FPL Actions". At present, there's only one action named "SentinelOneClassify".

Page last updated: 2023 Aug 09