Background Context

Given recent attacks on the Healthcare sector, and some noted data breaches, FauxCura

Health have engaged Quantum.LogiGuardian $($Q$.$LG$),$ a cyber security consultancy and

analytics firm.

FauxCura believes they may have had un$-$detected cyber security breaches within their

systems. As a caring and respectable healthcare provider, they want to examine their

historic network data to determine whether undetected breaches have occurred.

The security operations centre at FauxCura run a Security Incident and Event

Management $($SIEM$)$ platform called Splunk$.$ This platform collects vast quantities of

log data from servers, desktop computers, routers and other network equipment and

aggregates it in the form of reports and alerts that can be viewed by security personnel

to identify incidents that require investigation.

During an initial investigation of FauxCura$$s data, Q$.$LG were able to trawl through

history data to produce an initial report that provides some top$-$level metrics on

incidents based on certain triggers. Incident specific data is also retained, but generally

consists of extremely large data sets.

It is hoped that the report data contains sufficient information to be able to construct an

ML model that can more accurately identify events of interest.

Data Overview

The data you are working with are records extracted from FauxCura$$s SIEM. The

records have already been processed and reduced to a summary of individual event

detections that were triggered by the SIEM.

The data have also been aggregated from multiple other sources and reports in the

SIEM. This means some values may be inconsistent across systems or there may be

errors in the data that need to be identified and cleaned.

Descriptions of Features:

Below is a brief explanation of the features in the data set. It is not necessary to

understand these features. It is also important to note that feature naming conventions

$2|$ P a g e

are very subjective. Reliance on the meaning of a name may miss important data or

detail.

Alert Category $($Categorical$)$:

This feature describes what type of alert was created by Splunk. It is largely subjective

as the alert creators can identify their own alert levels for different types of events. The

levels present in the data can be approximately summarised as:

Informational:

An event that is being logged to the system for information purposes only, it is

possible these could relate to malicious activity, but this is the lowest level of alert.

Warning:

This is a higher level of alert and typically used to identify a situation that may not

be typical.

Alert:

These are typically used for specific events that represent a security concern that

requires action.

NetworkEventType $($Categorical$)$:

This is the type of event that the SIEM report believes has occurred. It can be used to

differentiate between apparently normal network traffic, to things like policy violations

and even threat detections and data exfiltration.

NormalOperation:

No specific anomalies occur in this logged event $$ there are many reasons this

data may be logged.

PolicyViolation:

A security or business policy has been violated. This can range from attempts to

run unauthorised software on the network, to using the wrong type of webbrowser to access a database.

ThreatDetected:

A specific condition has been detected that has previously been identified as a

security thread. These could be normal operations mis$-$tagged, or they may

include malicious software or techniques in use.

NetworkInteractionType $($Categorical$)$:

This is another $$computer$$ metric that uses an unknown $3$rd party plugin to identify

network interactions that are not typical.

Regular:

These appear to be normal network traffic requests.

$3|$ P a g e

Elevated:

Requests that are attempting to access resources that require specific

permissions. For example, a computer trying to log in to an administrative console

or a restricted device.

Suspicious:

Generally, these are elevated network events that are unexpected, have come from

an unexpected source, or have unexpected patterns of usage.

Anomalous:

Network interactions that aren$$t typical but may not have any relation to security

events.

Critical:

A network condition that should never occur. This could be an interaction that

indicates an attack condition, or a severe equipment outage or malfunction.

Unknown:

The interaction status is unknown

DataTransferVolume $($out and in$)($Numeric$)$:

Quantifies the amount of data transferred over the network. Values are given whether

they are into the network or out of the network.

TransactionsPerSession $($Integer$)$:

The number of transactions exchanged between devices and the service they are

communicating with.

NetworkAccessFrequency $($Integer$)$:

Measures how frequently network ports are accessed, with abnormal frequencies

potentially signalling unauthorized acce