Aegis CyberXtractor™: Optimizing Cybersecurity with Advanced AI-Driven UBA

Feature Extractionn


We need a vast array of raw data from an assortment of activity logs, assets, and agents within your physical and digital IT infrastructure. You may hold these in a Security Information & Event Management (SIEM) or they are scattered across your IT supply chain. In all cases AI AEGIS Cyber Data Lake fetches, gathers, formats and inserts these data in our especially designed timestamped event databases.
The event data logs gathered and saved in AI AEGIS Cyber Data Lake are not directly suitable for user behavior analysis and modeling (UBAM) for several reasons:
  • Large Sizes. The event log data often possess significant sizes, making them unwieldy for direct analysis. They require processing and transformation to ensure efficient handling.
  • Insufficient Indexing and Structuring. The event log data lack adequate indexing and structure, making it challenging to extract valuable insights from them. Proper indexing and structuring are crucial for meaningful UBAM.
  • Disparate Timestamps, Formats, and Types. The event log data exhibit variations in timestamps, formats, and types across different sources. This heterogeneity poses obstacles to seamless integration and analysis.

Cybersecurity AI Solution

AI AEGIS Lab Cybersecurity Solution is made of integrated components that manage all cybersecurity data from logs and applications, and use these in a multi-layered AI machines to model the behavior of all entities and processes across your digital landscape, and identifies insider threats be it from trusted users or intruders.

To overcome these challenges, Aegis CyberXtractor™ extracts structured features from these raw log data in formats that are suitable for computing actionable user behavior analysis and modeling (UBAM) features, and organizes these into categories and subcategories that facilitate their filtering and querying. This allows us to easily configure a tailored grouping of these features that align with your organization's specific needs and structure, and enable you to seamlessly interact with and interpret the data and gain insights through an intuitive web dashboard.

Aegis CyberXtractor™ is a highly scalable microservice designed to simplify the creation of actionable custom features for user behavior analysis and modeling (UBAM), within your cybersecurity framework and using its raw log data, without the need for coding or scripting.


Aegis CyberXtractor™ key features include:

Actionable Feature Creation

Generation of actionable features from raw IT log data, specifically targeted for UBAM. These features are derived through a user-friendly and intuitive web dashboard with a mathematical formula editor.

Organized Categories and Subcategories

The extracted features are organized into easily navigable nested categories and subcategories, facilitating efficient filtering and querying. This organized structure enhances the usability of the features and enables seamless interaction with your cybersecurity data and AI modeling.

Tailored Grouping of Features

Flexible creation of a customized grouping of cybersecurity features that align with your organization's specific needs and structure. This tailored grouping ensures that the generated features are relevant to your cybersecurity objectives.

Enhanced Data Interaction and Insights

By utilizing this toolbox, you can interact with and interpret your cybersecurity data. The organized features and intuitive interface empower you to gain valuable insights from the extracted data, enabling effective decision-making.

No-Coding Environment

The feature definition and extraction process is hassle-free, requiring no coding or scripting. This user-friendly and intuitive environment eliminates the need for a mathematical background, making it accessible to a wide range of users.

Accelerated Model Building Process.

AI AEGIS Feature Extractor significantly accelerates the model building process. By providing a no-coding and no-scripting solution, it smooths feature generation and reduces the time and effort required for implementation.

Feature Quantification

A visual mathematical formula editor allows defining multiple quantities based on events log data, e.g., the count number, min, max, average, quantiles, frequency, rate, size, or duration of occurrence.

Feature Mapping

Creates UBA features across entities (users, endpoint devices, etc) and categories of events in log files. Point Features are quantified per single entity, e.g., total count of an event per user, or endpoint. Peer Grouping Features are quantified across a group of peers in the same category. E.g., the total count of an event for a group of users. Horizontal Features are quantified across multiple categories. E.g., users file downloads per set of endpoint devices.

Feature Contextualization

Enhances quantification and provides valuable nuanced analysis and insights into user behavior patterns by incorporating additional contextual information. E.g., different temporal contexts, such as morning, afternoon, working or off hours, or days of the week, working, weekends, holidays.

Sample Log File Types AI AEGIS Uses for UBA

Aegis CyberXtractor™ comes loaded with a library of ready-for-use features, categories and computational rules specifically designed for user and entity behavior analysis and modeling (UBAM). You can select from these when configuring your cybersecurity model. There are no limitations on what can be configured. Here are some high-level sample categories:

User account and access

User account and access are user login attempts and failures, privilege escalation, session duration, password changes, account creation and deletion, login’s geolocation, multiple-logins, removable device connection, etc.

Web and Internet services

Web and Internet services regroup features associated with web and other internet-based services such as SMB, email and FTP, HTTP, HTTPS, request methods and URLs, response code and status, request and response headers, request and response payload sizes, rate of API calls, sessions informations (creation, expiration and termination time), security data such as SSL/TLS encryption protocols, access control mechanism and more.

Data events and activities

Web and Internet services cover a broad spectrum of actions involving both local and database-stored data, such as file modifications, creation, deletion, upload and download, database queries and transactions, data encryption or decryption, volume of transferred files, changes in file permissions, data and file access patterns.

System and resources metrics

System and resources metrics are a wide range of measurements such as CPU and memory usage and load, disk read and write operation rates, system uptime and downtime, and more.

Network Activities

Network Activities layer are events such as connections and disconnections (attempts, successful and failure), incoming/outgoing packets, traffic volume and patterns, ports and protocols in use, firewall events (pass, reject, …), firewall rule modifications, ingress and egress points, etc.

App and Process Activities

App and Process Activities events are related to processes occurring within a machine, such as the execution and termination of apps and processes, and changes in the list of startup apps, application-specific errors or crashes, and exceptions caused by each app.

Security Platforms

Security Platforms logs from a wide range of platforms, e.g., monitoring tools, firewalls, antiviruses, intrusion detection softwares, source IP banned due to exceeded number of login failures.

User-defined logs

User-defined logs include logs generated by non-popular apps, third-party apps, or custom-tailor made apps, business transaction logs, custom application-specific logs, and more.

Unlock the Power of AI in Cybersecurity!

Dive into AI AEGIS Feature Extraction for unparalleled user behavior insights. Begin your journey to a more secure, intuitive, and efficient IT framework.