Per-algorithm settings

These settings affect the functions of individual FA algorithms and include the option to enable and disable the algorithm to match network behavior analysis needs.

Exporters

By default, an FA algorithm will be run against all incoming Exporter flows, which may adversely react system performance, particularly when there are flows that do not include the data required by the algorithm.

To reduce both the overall number of flows being interrogated by the system and the volume of unnecessary Events and Alarms, the Include and Exclude options should be used to define the list of Exporters to be monitored by the algorithm.

Exclusions

By defining specific IP addresses, IP ranges, subnets, child groups, and/or hostnames to exclude from an FA algorithm, it is possible to further reduce the number of hosts that can trigger Alarms.

Adding entities to an FA algorithm’s exclusion list will whitelist them, allowing behavior that would otherwise generate Alarms for NetOps/SecOps teams and other authorized IT staff or devices.

Thresholds

Alarm-generating FA algorithms can be configured with a threshold that controls the point at which it will generate an Alarm.

Thresholds can be used to increase or decrease the algorithms tolerance for the specified behavior or traffic, which can greatly reduce the number of false positives reported via the Alarm Monitor views.

Additional settings

Due to the diversity in FA algorithm capabilities, certain algorithms may also have additional configuration options that are specific to their functions.

In some cases, these settings can be used to finetune the algorithm’s behavior, while in others, they will be need to be configured before the algorithm can be enabled.

Note

Some FA algorithms, such as Baselining require no further configuration and can only be enabled or disabled.