#Suppress R Warnings options(warn=-1) # Load R Packages pkgs <- c(pkgs <- c("tibbletime", "tidyverse","anomalize", "jsonlite", "curl", "httr", "lubridate","dplyr")) sapply(pkgs, function(x) suppressPackageStartupMessages(require(x, character.only = T))) install.packages("tibbletime") install.packages("anomalize") #Suppress R Warnings options(warn=-1) # Load R Packages pkgs <- c(pkgs <- c("tibbletime", "tidyverse","anomalize", "jsonlite", "curl", "httr", "lubridate","dplyr")) sapply(pkgs, function(x) suppressPackageStartupMessages(require(x, character.only = T))) # Read CSV into R urlfile<-'https://raw.githubusercontent.com/ashwin-patil/threat-hunting-with-notebooks/master/rawdata/UserLogons-demo.csv' userlogondemo<-read.csv(urlfile) str(userlogondemo) head(userlogondemo) #Read Downloaded csv and arrange by columns userlogonsummary <- userlogondemo %>% arrange(AccountName,AccountNtDomain,Date) # Aggregate By User Logon View byuser <- userlogonsummary %>% mutate(Date = as.Date(Date, "%m/%d/%Y")) %>% group_by(Date, AccountName) %>% summarise(logoncount=sum(TotalLogons)) %>% ungroup() %>% arrange(AccountName, Date) head(byuser) # Filtering dataset for specific User FilteredAccount = "SRVACCNT-01" # Ungroup dataset , run Time series decomposition method and plot anomalies graphUser <- byuser %>% filter(AccountName == FilteredAccount) %>% ungroup()%>% time_decompose(logoncount, method = "twitter", trend = "3 months") %>% anomalize(remainder, method = "gesd") %>% time_recompose() %>% # Anomaly Visualziation plot_anomalies(time_recomposed = TRUE) + labs(title = paste0("User Anomaly: ",FilteredAccount), subtitle = "Twitter + GESD Methods") plot(graphUser) # Plot Time series decompositions components separately byuser %>% filter(AccountName == FilteredAccount) %>% ungroup()%>% time_decompose(logoncount, method = "twitter", trend = "3 months") %>% anomalize(remainder, method = "gesd") %>% plot_anomaly_decomposition() + labs(title = "Decomposition of Anomalized Logons")