Views:

This section describes how to apply the Add to Baseline action when the relevant event occurs and the associated outcomes.

  1. To check StellarProtect agent events, go to Logs > Agent Events > StellarProtect.
    Note:

    To check StellarProtect (Legacy Mode) agent events, select the StellarProtect (Legacy Mode) tab page instead.

  2. Find the Warning level events related to the Operations Behavior Anomaly Detection, and then click the Event Details icon in the Action column.
  3. Click the Add to Baseline to apply this action. For example, the unrecognized application detected as shown in the image below will be added to the agent baseline as an approved application.
    Figure 1. An example of the event with "Add to Baseline" action
  4. To check if the application has been added to the agent baseline, go to the Situational Awareness page.
  5. Find the search and filter tool, select Added From and Event action as the criteria and click the search icon.
  6. As a result, the table displays a list of the approved applications added from the event action “Add to Baseline".
    Note:

    Since the baseline data are transmitted at the default or specified policy refresh interval, the result of the applied action may not appear in the Situational Awareness baseline immediately. You can shorten the policy refresh interval to make the result appear earlier. See Set Policy Refresh Interval for how to configure the settings.

Parent topic: Agent Event Actions