See the example below for how the learning time works if the security pillars are enabled separately.
- Three days ago, you've enabled the Detect mode for Operations Behavior Anomaly Detection, toggled on the Script Behavior, and set the Learning time to 3 days.
- This morning, you enabled the User Login and then the agent started establishing the baseline of the approved login accounts.
- If you had not enabled the User Login today, the learning progress bar displayed on the Agents screen should have disappeared and the status should have changed to Detect. However, the progress bar still exists because you enabled the User Login today (without changing the learning period, which was set to 3 days).
-
For now, the agent is multitasking for the Operations Behavior
Anomaly Detection function:
-
The Script Behavior baseline has been established and the agent is actually detecting any anomalies now. You may find relevant events on the Agent Events.
-
The agent is now establishing the User Login baseline. The learning progress bar on the Agents screen indicates there are 3 days left for learning before entering the Detect mode.
-
- Moreover, if you changed the learning time to 7 days while enabling the User Login today, the agent would start updating the baseline for Script Behavior; on the other hand, it would start establishing the baseline for User Login. To elaborate, since the agent has already collected the script behaviors for 3 days, the actual learning time for Script Behavior was extended to 4 days only. As for the User Login, the actual learning time was set to 7 days.
Parent topic: Setting the Learning Time