Views:
This section describes how to apply the Add to Baseline action when the relevant event occurs and the associated outcomes. By applying this action, you allow the detected anomalies to run on the device without further check.

Procedure

  1. To check agent events, go to LogsAgent Events.
  2. Find the Warning level events related to the Operations Behavior Anomaly Detection, and then click the Event Details icon in the Action column.
  3. The Event Details window appears.
  4. Click Add to Baseline to apply this action. The unrecognized application detected as shown in the following example will be added to the agent baseline as an approved application.
    event-action-add-to-.png
    An example of the event with "Add to Baseline" action
  5. To check if the application has been added to the agent baseline, go to the Situational Awareness page.
  6. Find the search and filter tool, select Added From and Event action as the criteria and click the search icon.
  7. As a result, the table displays a list of the approved applications added from the event action “Add to Baseline".
    Note
    Note
    Since the baseline data are transmitted at the default or specified policy refresh interval, the result of the applied action may not appear in the Situational Awareness baseline immediately. You can shorten the policy refresh interval to make the result appear earlier. See Set Policy Refresh Interval for how to configure the settings.