When the Detect or Enforce mode of
Operations Behavior Anomaly Detection is selected, the
Learning time option becomes available. You can specify
the learning period for the target agents/group from the Learning
time menu. The agents that have not established their own baselines
will then start learning and once the learning period ends, they will automatically
switch to the predefined Detect or
Enforce mode.
See the following instructions for how to set the learning time.
Procedure
- Go to , scroll down and find the Operations Behavior Anomaly Detection pane. Select Detect or Enforce.
- The Learning time section appears.
- Scroll down and determine which security pillars (Script
Behavior, User Login, or
Application Behavior) you want to enable. Ensure you
toggle on at least one of them for the agent-device to establish the associated
baseline.
Note
The three security pillars can be individually toggled on for guarding separate vulnerability points, or you can choose to enable them all for the complete protection. - Specify the learning period for the target agent-device from the Learning time menu.
- A progress bar displaying how many days left for learning will appear on the
Agents screen or the General
Info page for the agent-device. See About the Agents Screen for more information.
Note
-
The learning time counts only when the target agent-device is powered on.
-
If you toggle on the security pillars separately, though the learning period is specified and fixed, the actual learning time displayed on the progress bar varies depending on when the last pillar is enabled. Besides, the agent switches to the predefined Detect or Enforce mode for the security pillars separately. See the following use case for more details.
-