Analytics engine time to establish baseline

cancel
Showing results for 
Search instead for 
Did you mean: 

Analytics engine time to establish baseline

L2 Linker

Hi all, 

I have a question about the analytics engine - how long does it take for it to establish a baseline?

I had it enabled yesterday and it started to give out alerts during the night, in the span of several hours. 

seems like a rather short time to establish baselines, even based on data from only the agents installed on the endpoints.

2 REPLIES 2

L2 Linker

Hi @Daniel_Itenberg this is highly subjective, based on the host activities. Each detector has its own activation time, based on the data present in CDL. The baseline is also recomputed over time based on newer activities. There might be some FP's in the beginning, but with alerts tuning and recurring baseline computations, the baseline gets normalized ("better") over time.

 

You can refer to the explanation of various components of detector timelines here.

You can refer to the list of Analytics Alerts here, with the respective timelines.

 

 

I grabbed a screenshot for a tenant. As you can see -  beaseline creation can take up to 3 hours, so you were right on the money for baseline creation. I assume EDR was already enabled for 2 weeks or more.  

 

bbarmanroy_0-1637912952159.png

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!