6.5 Auto-Close

OFSBD provides a mechanism to close alerts automatically that do not warrant investigation.

The system can close alerts based on their age, status, score, focus type, generating scenario, or any combination of these attributes. The system regularly evaluates all candidate alerts and closes each alert that satisfies the criteria. The system maintains closed alerts for audit purposes and they are still available for display such as from the Relationship tab in the OFSBD UI) and processing , such as by reopening an alert.

Defining the Auto-Close Alert Algorithm

The KDD_AUTO_CLOSE_ALERT table provides all operation sets, and their respective operations, that the system uses to determine whether it should close an alert. The table includes the following:
  • Operations are logical expressions that can be used to close alerts such as alert score > 50, age > 30. A set of operations based on the same attribute, such as score, form an operation set.
  • The OPRTN_SET_ID column is a grouping of mutually exclusive operations. Each operation specifies the next step that is applied to alerts that satisfy the operation. This next step is either to close the alert or execute the Next operation Set (NEXT_OPRTN_SET_ID column), or branch to further evaluate the alerts.
  • The XPRSN_ORDER_ID column sets up an order of precedence by which the system attempts to satisfy the operations. Enter NULL if the entry is linked from another entry that has a value in the XPRSN_ORDER_ID column.
  • The ALERT_ATTR_ID column identifies the attribute of the alert for evaluation.
  • The OPRTR_CD column specifies the type of operation to be performed. Allowed values are =, !=, >, <, >=, <=, contains, or IN. While using the IN operator, the right-hand side variables should be separated by| such as NW|OP.
  • The value in the VALUE_TX column provides the right-hand side of the operation being evaluated.
  • If the current operation is satisfied, and it is not the final operation in the operation set (indicated by a NULL value in the NEXT_OPRTN_SET_ID column), the process jumps to the NEXT_OPRTN_ SET_ID. If the NEXT_OPRTN_SET_ID is NULL, and the operation is true, the system closes the alert.
  • The DMN_CD column is the OFSBD product code.
  • The CLS_ACTIVITY_TYPE_CD column specifies the activity type code of the closing action to associate with an alert that is closed by this rule. This column is optional. If the column is NULL, the system uses the default auto-close activity type code.
  • The CMMNT_TX column specifies an optional text comment to associate with an alert that is closed by this rule.

The Auto-Close Alert algorithm does not close a locked alert. The system locks an alert when an analyst investigates it, and then unlocks it when the analyst releases it. All locked alerts are skipped until the next time the Auto-Close Alert algorithm is run. The OFSBD administrator must fill in rows in the KDD_AUTO_CLOSE_ALERT table with the criteria for auto-closing the alerts. The system uses the KDD_REVIEW table to provide available attributes for use in the Auto-Close algorithm.

Set Up Auto-Close Rules

To set up auto-close rules, formulate the criteria for auto-closing alerts using the attributes in the Alert Closing Attributes (KDD_AUTO_CLOSE_ALERT) table. The Alert Identifier (ALERT_ATTR_ID) column is needed later in this set of instructions.

The following table describes commonly used Alert Closing Attributes.

Table 6-1 Commonly Used Alert Closing Attributes

Alert Attribute Alert Identifier (ALERT_ATTR_ID)
Alert Age 113000057
Due Date 113000024
Focus Type 113000010
Last Action 113000038
Owner’s Organization 113000056
Previous Match Count All 113000054
Previous Match Count Same Scenario 113000053
Scenario 113000013
Score 113000022
Status 113000008
Status Name 113000055
Processing Batch Name 113000068
Jurisdiction 113000067
Previous Match Count Same Scenario Group 113000064
Scenario Group 113000014

View All Alert Closing Attributes

To view a full set of Alert Closing Attributes, follow these steps:
  1. Run the following query:
    Select A.ATTR_ID, A.ATTR_NM
From KDD_ATTR A, KDD_DATASET_ATTR B
where A.ATTR_ID=B.ATTR_ID and B.DATASET_ID=113000002

    Note:

    If the alert attribute that corresponds with a particular alert identifier contains a NULL value, the Auto-Close algorithm does not interpret these values and returns a fatal Behavior Detection error.
  2. Formulate operations for the auto-closing criteria. Operations contain only one mathematical operator such as >, <, or =. Operation sets include one or more operations chained together by the NEXT_OPRTN_SET column.
  3. Determine an order of precedence for the operations (that is, what to test first, second, and so forth). Each operation’s precedence must be unique within the KDD_AUTO_CLOSE_ALERT table. An error occurs if two operations have the same precedence. All operations must have precedence or the system does not test them.
  4. Assign an operation ID to each operation. This ID must be unique within KDD_AUTO_CLOSE_ALERT.
  5. Assign an operation ID to each operation within each operation set. Use IDs close together for operations within the same operation set. The system uses this ID to link together operations within the same operation set by placing the next ID for testing in the Next Operation ID (NEXT_OPRTN_SET_ID) column.
  6. Determine the rows to insert into the KDD_AUTO_CLOSE_ALERT table from the following columns:
    • OPRTN_SET_ID is the operation set ID.
    • XPRSN_ORDER_ID, the operation ID, the precedence must be unique for each operation across the table. This column can contain a NULL value.

      Note:

      When an operation set is reached by linking from another operation set, you can leave the XPRSN_ORDER_ID at NULL. For operations sets that are not reached through another operation set, the XPRSN_ORDER_ID is required.
    • ALERT_ATTR_ID (Refer to Step 1).
    • OPRTR_CD is the mathematical operator for the operation.
    • VALUE_TX is the right-hand side of the operation.
    • NEXT_OPRTN_SET_ID is the ID that identifies the next operation in the operation set, or NULL if no operations exist. Inserting an ID into the NEXT_OPRTN_SET column previously called creates a loop and results in an error.
    • DMN_CD is the OFSBD product code.
    • The CLS_ACTIVITY_TYPE_CD column specifies the activity type code of the closing action. The activity type code that this column specifies must exist in the KDD_ACTIVITY_TYPE_CD table and the KDD_ACTIVITY_TYPE_CD. Verify that the AUTO_CLOSE_FL is set to ‘Y’ for this code to be valid.
    • The CMMNT_TX column specifies an optional text comment.

Running the Auto-Close Alert

Auto-Close Alert is part of the Behavior Detection subsystem. OFSBD provides default job templates and job template groups for running Auto-Close Alert. You can modify these jobs using the Administration Tools. Refer to the Administration Tools User Guide for more information.

To run Auto-Close Alert, follow these steps:

  1. Verify that the dispatcher is running.
  2. Run the start_mantas.sh script as follows: start_mantas.sh 506 where, 506 is the job template that OFSBD provides to run the Auto-Close algorithm.