XDR analytics (AI/ML) model maturity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XDR analytics (AI/ML) model maturity

L1 Bithead

Hi

 

As per our understanding XDR claims that they have analytics out of the box,

Though i understand XDR needs to be tuned in an Organization after which the AI/ML detection capabilities will improve

So what are all the ways we can Tune the Analytcs , ABIOC etc If we start creating Corelation or suppression rules to remove noise will the analytics aspect improve ?

Kindly let me know

3 REPLIES 3

L5 Sessionator

Hi @meanmach, thanks for reaching us using the Live Community.

 

The Analytics engine requires at least 30 endpoins with the agent installed and two weeks of ingested logs to be enabled and start having a good baseline. If your logs are not only from endpoints, then the baseline will be more accurate and you will have less false positives. Here is a very interesting doc about Analytics, and you can find here another one with all the data sources supported and the alert reference.

 

If you find any alert that is considered an Alert for XDR but in your environment is a normal behavior, you can create Alert Exlusions with a right click on it from the Alerts view.

 

jmazzeo_0-1711388090091.png

 

Or you can go to Settings - Exceptions Configuration and create a new Alert Exclusion and manually select all the parameters from the Alerts list presented on the screen. More info here.

 

If this post answers your question, please mark it as the solution.

JM

Thanks a lot for the information provided, For second part of the question i want to reiterate my point again would  creation of suppression or exclusion rules say in a span of month be able to tune the analytics ?

L1 Bithead

Wanted to ask a further question what if i want to see the alerts generated but dont want it to contribute towards an incident, anyway this can be acheived?

  • 809 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!