Resilient Machine Learning can extract useful information from historical incidents that users store in their system to predict the best-matched user and assign them to an incoming incident. This blog is a tutorial for building a machine learning model for this use case.
Preparation
Let’s assume that the Resilient Machine Learning integration package has been properly installed. The next step is to create a folder to hold all the related files. For convenience, it is assumed that this new folder is called resilient_ml. In this tutorial, this folder will be the working directory for machine learning.
It is convenient to keep an app.config file in this working directory. If you already run
resilient-circuits config -c
or
resilient-circuits config -u
To generate an app.config file copy it to the working directory. For reference on how to create an app.config file, please refer to the Resilient Machine Learning Function Guide first. Note that the app.config file will only be used for building a machine learning model.
Download the Data
Once the app.config file in the working directory contains all the information about your Resilient platform, the data from the Resilient platform can be downloaded. From a terminal, go to the working directory, and type:
res-ml download -o resilient_incidents.csv
This command downloads all the incidents from the Resilient platform specified in the app.config into the working directory. The data is then saved into resilient_incidents.csv in the working directory.
Setting Up a Machine Learning Model
To build a model, the prediction field, features, algorithm, and method (optional), need to be selected. This data needs to be entered into the app.config file as follows:
- Prediction field
The first step is to predict who will own a new incident. The prediction field is owner_id. Modify the app.config field and set the prediction value like this:
prediction=owner_id
- Features
This is the difficult part. Users need to know which fields have an impact on the prediction field. A built-in field like “incident types” can be a good candidate because assignment can be related to special skills each potential analyst has. “Negative PR” could be another candidate since the severity of an incident could be related to that value as well. Note that users can also add custom fields to features.
Assuming that “incident types” and “Negative PR” are used as features, modify app.config and set the following:
prediction=incident_type_ids, negative_pr_likely
- Algorithm
According to our experience, a different algorithm, in general, causes overall accuracy difference in several percentage points. For the first try, a popular algorithm can be used here. Modify app.config and set the following:
algorithm=Logistic Regression
This sets the algorithm to be “Logistic Regression”. You can try others when you fine-tune the machine learning model later.
- Method (optional)
Ensemble method is optional. Keep it as “None” for now:
method=None
Building a Machine Learning Model
You are ready to build a machine learning model. Run the following from a terminal under the working directory.
res-ml build -c resilient_incidents.csv -o owner.ml
This command builds a machine learning model using data from resilient_incidents.csv. The resulting model is saved to owner.ml.
Since there is an app.config file, the working directory, res-ml, uses the settings in that app.config file to build the model.
This is a sample output of the model:
Note that simulation data is used in the above build, so the accuracy is low.
Using the Model You Built to Make a Prediction
Once you have a model, you can use it to make a prediction. To do so, we need to create a new rule and a new workflow.
- Modify the Model
For the function component to find the machine learning model to use, you need to modify the app.config file used by the function component, not the one in the working folder. Normally the function component (Resilient Circuits) uses ~/.resilient/app.config. Edit that app.config file and make sure:
model_dir=Absolute_path_to_your_working_folder
This tells the function component where to look for the saved machine learning model.
- Create a Workflow
In your Resilient platform, go to Customization Settings->Workflows, and create a new Workflow for incident type. It should look like this:
Call it ML Predict Assignee. Add function “ML Predict” to your Workflow, and make sure the inputs.ml_incident_id is set properly in the Pre-Process Script, as shown above. In the Input tab, enter the name of the ML model you want to use. In this tutorial, owner.ml will be used as the name:
In the Post-Process Script, write the output result from the function to a custom field:
In this example the custom field ml_prediction that comes with the function was used. You can create your own if you prefer.
- Create a New Rule
Go to the Rules tab and create a new menu item rule, like the example shown here:
Set the Object Type to Incident, and select the Workflow you created in the first step:
- Show the Prediction
Go to the Layouts tab and create a new tab for machine learning. Drag the custom field “ml_predict” there.
- Run Your Prediction Model
When a new incident is created, make sure that all the features have valid values. In this tutorial, “incident type” and “Negative PR” were used as features of the machine learning model, so you need to make sure that these two fields are set. In the new Incident, click Actions->ML Predict Assignee:
The prediction will now be shown in the machine learning tab:
Enjoy.
#Machine Learning
#Resilient