Exceeding sources

Exceeding Sources Detection (EPS-Based Anomaly Monitoring)

The platform includes an advanced Exceeding Sources Detection capability designed to identify data sources that generate a significantly higher volume of logs than expected based on their historical behavior.

This functionality detects abnormal increases in Events Per Second (EPS), which may indicate security incidents, configuration changes, or operational and commercial impacts.

Use Cases and Operational Relevance

Exceeding source detection is particularly valuable in the following scenarios:

• Compromised endpoints generating unusually high outbound activity or data exfiltration patterns

• Users downloading or transferring atypical artifacts, binaries, or large datasets

• Progressive onboarding of new devices or systems, impacting licensing and capacity planning

• Increased verbosity on perimeter devices due to configuration changes

• Attack lifecycle phases involving scanning, lateral movement, payload delivery, or data transfer

By identifying abnormal log volume growth, the platform provides early visibility into both security and business-impacting events.

Behavioral Baseline Definition

For each data source, the platform continuously maintains a real-time EPS baseline representing the expected log volume.

The baseline is calculated using historical data from the previous several weeks, taking into account:

• Time of day

• Day of the week

This ensures that natural usage patterns (e.g., business hours vs. off-hours, weekdays vs. weekends) are accurately modeled.

Exceeding Detection Logic

A source is considered exceeding when its current EPS significantly exceeds the expected baseline for the corresponding time window.

Detection is performed in real time by comparing:

• Observed EPS

• Expected EPS derived from the baseline

When the deviation exceeds defined thresholds, an Exceeding Source alert is generated.

Severity-Based Alert Thresholds

Exceeding thresholds are dynamically applied based on the criticality of the source, as defined in the CMDB:

This graduated model applies stricter sensitivity to more critical assets.

Low-Volume Source Handling

Sources with very low baseline EPS are excluded from standard exceeding detection to avoid false positives.

For these sources, the platform applies alternative logic to ensure alerts are only generated when the observed behavior represents a meaningful deviation from expected activity.

Baseline Smoothing (EWMA)

To reduce sensitivity to short-lived spikes and noise, the platform applies Exponentially Weighted Moving Average (EWMA) smoothing:

• Default smoothing factor: α = 0.3

• Recent observations are weighted more heavily

This allows the baseline to adapt gradually while remaining robust.

Poisson-Based Detection for Low EPS Sources

When the baseline EPS is below the minimum threshold required for reliable percentage-based analysis, the platform switches to a Poisson-based detection model.

In this mode:

1. The historical event rate is estimated as: λ (lambda) = mean historical events per minute

2. Event arrival is modeled as a Poisson process

3. An exceeding alert is triggered if the observed event count exceeds the 95th percentile (P95) of the Poisson distribution for the evaluation window

This statistical method ensures accurate detection for low-frequency sources.

Alert Accuracy and Business Impact

By combining:

• Time-aware behavioral baselines

• Severity-based exceeding thresholds

• EWMA smoothing

• Poisson-based modeling for low-volume sources

the platform provides high-confidence detection of abnormal log volume growth with minimal false positives.

This capability enables SOC teams to:

• Detect early indicators of compromise

• Identify misconfigurations and operational changes

• Gain real-time visibility into customer growth and licensing impact

• Support commercial and capacity planning decisions

Relationship with Other Ingestion Health Monitors

Exceeding source detection complements other ingestion health mechanisms:

• Silenced Sources detect complete loss of logs

• Degraded Sources detect abnormal reductions in volume

• Exceeding Sources detect abnormal increases in volume

Together, these mechanisms provide full-spectrum visibility into log ingestion behavior and operational health across the platform.

Si quieres, puedo:

• Ajustar los umbrales exactos si ya los tienes definidos

• Añadir ejemplos de alert payloads

• Incluir diagramas comparativos entre Degraded / Exceeding / Silenced