 # UBA Data Validation and Model Monitoring

The notebook showcase some useful examples for data validation and model monitoring to help resolve system scaliblity issues at the early stage. 

More examples can be provided based on feedback.
Note: to secure the customer datasets, the notebook was run on single-node UBA testing VM using synthetic datasets. The installation has been also tested in a multi-node deployment environment.

 ## Validate the scale from data sources
Through the sample notebook, you may track the event processing count, the Maximum, Minimum, and Average EPS values. Currently UBA secures the scale of EPS value under 160K.

In [2]:

%sh /opt/caspida/bin/status/eps_ds


In [3]:
%sh /opt/caspida/bin/status/eps_etl


In [4]:
%sh /opt/caspida/bin/status/eps_ir


In [5]:
%sh psql -d caspidadb -c "SELECT DISTINCT ON (d.name) d.name, d.type, d.status, d.error, d.format, date_trunc('Seconds',cstats.lastprocessed) as lastprocessed, cstats.epsjson::json->>'EPS' as recent_eps, cstats.epsjson::json->>'Avg EPS' as average_eps, cstats.epsjson::json->>'Max EPS' as max_eps, dstats.countevents, dstats.countfailedevents, dstats.countskippedevents, (100-((dstats.countskippedevents + dstats.countfailedevents)*100)/dstats.countevents) as success_perc, \
                case \
                  when d.status != 'Processing' then '' \
                  when (100-((dstats.countskippedevents + dstats.countfailedevents)*100)/dstats.countevents)=0 then '   <== utter failure; events not processed; review datasource SPL' \
                  when (100-((dstats.countskippedevents + dstats.countfailedevents)*100)/dstats.countevents)=100 then '(complete success)' \
                  when (100-((dstats.countskippedevents + dstats.countfailedevents)*100)/dstats.countevents)<=40 then '   <== significant failed/skipped events; review datasource SPL' \
                  when (100-((dstats.countskippedevents + dstats.countfailedevents)*100)/dstats.countevents)<=70 then '   <= check failed/skipped events; review datasource SPL' \
                  else '' end as observation \
                FROM connectorstats as cstats \
                INNER JOIN datasourcestats as dstats on cstats.id = dstats.id \
                INNER JOIN datasources as d on cstats.id = d.id WHERE cstats.lastprocessed IS NOT NULL AND dstats.countevents!=0 ORDER BY name, lastmodified DESC; \
		"

In [6]:
%sh psql -d caspidadb -c "select id,name,type,format,status,connectortype from datasources where name='0_resolution-demoandbackground.infoblox';"


In [7]:
%sh psql -d caspidadb -c "select id,instanceid,lastmodified,state,numprocessed,numfailed,eps,epsjson from connectorstats where id='6015881326631454175'"


In [8]:
%sh impala-shell -d caspida -q 'describe datasourcevalidations;'

 ## Validate the scale from user and entity profiles

The number of users, entities (e.g. devices, applications) and its associated profiles may determine the scale for some models. Validate user and entity profiles are preliminary for reliable detections. 

In [10]:
%sh psql -d caspidadb -c 'select count(*) from hrdatausers';


In [11]:
%sh psql -d caspidadb -c 'select count(*) from users';


In [12]:
%sh  psql -d caspidadb -c "select count(*), ou from hrdatausers group by ou;"


In [13]:

%sh  psql -d caspidadb -c "select count(*), hraccounttype from hrdataaccounts group by hraccounttype;"


In [14]:
%sh psql -d caspidadb -c "select count(*), type from systems group by type;"

In [15]:
%sh  psql -d caspidadb -c "select count(*) from usystems where state = 'Unresolved';" 


 ## Identify scalability issues from batch models
You may also check in real-time for any recurrent model failures, identify models with the longest durations. Monitor the long-running models if there are noticeable changes in the execution times, and engage with UBA Customer support if they cause system performance to be downgraded. 

In [17]:
%sh impala-shell -d caspida -q 'select eventtime,modelname,durationinmilliseconds,successfulexecutions,failedexecutions from offlinemodelstats where failedexecutions=0 order by durationinmilliseconds desc limit 10;'


In [18]:
%sh impala-shell -d caspida --quiet -q "select modelname, eventtime from (select modelname,eventtime,row_number() over (partition by modelname order by eventtime desc) as index from offlinemodelstats where failurereason = 'n/a') t where index = 1 order by 2 desc;"


 # Check threats and anomalies from history

Some issues caused performance downgrades but not related to scalability. For example, customers neglected to clear historical anomalies from Postgres databases, resulting in insufficient space and model failures. 

In [20]:
%sh  psql -d caspidadb -c "select eventtime,endtime, anomalytype,anomalycategory, scoredby, entitytypes from anomalies limit 25;"


In [21]:
%sh  psql -d caspidadb -c "select count(*), anomalytype from anomalies group by anomalytype;"


In [22]:
%sh  psql -d caspidadb -c "select count(*),isactive from threats group by isactive;"


 # Additional useful queries

Share more useful queries below

In [24]:
%sh psql -d caspidadb -c "select * from dbinfo"
