03-23-2024 11:56 PM
Hi
As per our understanding XDR claims that they have analytics out of the box,
Though i understand XDR needs to be tuned in an Organization after which the AI/ML detection capabilities will improve
So what are all the ways we can Tune the Analytcs , ABIOC etc If we start creating Corelation or suppression rules to remove noise will the analytics aspect improve ?
Kindly let me know
03-25-2024 10:39 AM
Hi @meanmach, thanks for reaching us using the Live Community.
The Analytics engine requires at least 30 endpoins with the agent installed and two weeks of ingested logs to be enabled and start having a good baseline. If your logs are not only from endpoints, then the baseline will be more accurate and you will have less false positives. Here is a very interesting doc about Analytics, and you can find here another one with all the data sources supported and the alert reference.
If you find any alert that is considered an Alert for XDR but in your environment is a normal behavior, you can create Alert Exlusions with a right click on it from the Alerts view.
Or you can go to Settings - Exceptions Configuration and create a new Alert Exclusion and manually select all the parameters from the Alerts list presented on the screen. More info here.
If this post answers your question, please mark it as the solution.
03-26-2024 01:24 AM
Thanks a lot for the information provided, For second part of the question i want to reiterate my point again would creation of suppression or exclusion rules say in a span of month be able to tune the analytics ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
