I have a question about the analytics engine - how long does it take for it to establish a baseline?
I had it enabled yesterday and it started to give out alerts during the night, in the span of several hours.
seems like a rather short time to establish baselines, even based on data from only the agents installed on the endpoints.
Hi @Daniel_Itenberg this is highly subjective, based on the host activities. Each detector has its own activation time, based on the data present in CDL. The baseline is also recomputed over time based on newer activities. There might be some FP's in the beginning, but with alerts tuning and recurring baseline computations, the baseline gets normalized ("better") over time.
You can refer to the explanation of various components of detector timelines here.
You can refer to the list of Analytics Alerts here, with the respective timelines.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!