https://live.paloaltonetworks.com/t5/expedition-discussions/ml-destination-ip-filte/m-p/357873#M3043 <P>Replied too fast just now!</P> <P>&nbsp;</P> <P>I typically go slowly when building filters and sorting the machine learning results in greenfield. Personally I like to add application column, group by dst-address or src-address, then sort on that field. Can use default view that groups by app to show some higher-risk apps like rdp or ssh and start breaking rules out like that, but I usually end up grouping by IP since customer has inventory that they are working from and we go down that list to make sure we cover everything. My case is assuming 5000+ hosts in the environment, so the recommendations get noisy.</P> <P>&nbsp;</P> <P>Once you're grouping by IP, can easily add filter there. FWIW, the filters aren't amazing (10.10.10.10 will match 10.10.10.100 too), but they help a ton if you can layer the filters on results.</P> Wed, 21 Oct 2020 19:16:13 GMT BenKnorr2 2020-10-21T19:16:13Z https://live.paloaltonetworks.com/t5/expedition-discussions/ml-destination-ip-filte/m-p/355671#M3038 <P>Hi,</P> <P>&nbsp;</P> <P>Wondering if there's a way to filter the results from ML to only show results for destination IP's in the 10.0.0.0/8 range? I'm building out a greenfield rulebase, would prefer to ignore any suggested rules for external networks at this stage.</P> <P>&nbsp;</P> <P>I tried the below but doesn't seem to work.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ikunduraci_0-1602478897139.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28171iC4A380B20765BFB4/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="ikunduraci_0-1602478897139.png" alt="ikunduraci_0-1602478897139.png" /></span></P> <P>Cheers</P> Mon, 12 Oct 2020 05:01:57 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/ml-destination-ip-filte/m-p/355671#M3038 ikunduraci 2020-10-12T05:01:57Z https://live.paloaltonetworks.com/t5/expedition-discussions/ml-destination-ip-filte/m-p/357872#M3042 <P>In your project, in the M.Learning tab, you can set your enabled networks to only include internal stuff that you want to make rules for. Once you have analyzed the enabled networks, doing m.learning on any policies should only reflect that new ip space.</P> Wed, 21 Oct 2020 19:08:35 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/ml-destination-ip-filte/m-p/357872#M3042 BenKnorr2 2020-10-21T19:08:35Z https://live.paloaltonetworks.com/t5/expedition-discussions/ml-destination-ip-filte/m-p/357873#M3043 <P>Replied too fast just now!</P> <P>&nbsp;</P> <P>I typically go slowly when building filters and sorting the machine learning results in greenfield. Personally I like to add application column, group by dst-address or src-address, then sort on that field. Can use default view that groups by app to show some higher-risk apps like rdp or ssh and start breaking rules out like that, but I usually end up grouping by IP since customer has inventory that they are working from and we go down that list to make sure we cover everything. My case is assuming 5000+ hosts in the environment, so the recommendations get noisy.</P> <P>&nbsp;</P> <P>Once you're grouping by IP, can easily add filter there. FWIW, the filters aren't amazing (10.10.10.10 will match 10.10.10.100 too), but they help a ton if you can layer the filters on results.</P> Wed, 21 Oct 2020 19:16:13 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/ml-destination-ip-filte/m-p/357873#M3043 BenKnorr2 2020-10-21T19:16:13Z