Fine-tunning : Doing the necessary changes on the rule condition or on the aggregration to ensure that maximum time the rule will fire only incase any suspicious activity found.
Finetunning done by 4 ways :
1. Inreasing decreasing aggregration :- Some times rules fire again and again for any user for save the CPU utilization aggregration increases . Some times rules not fire but the CPU utilization increases so decrease the aggregation.
2. Whitelist the condition to avoid false positive : example: destination username = ! user
3. by applying suppression list or delay list to avoid repeatative rule firing.
4. Avoid partial matches of the rules by decreasing the aggregration.
0 Comments