Global ML settings¶
The global ML settings under Admin > Settings can be used to customize various machine learning function/behavior settings, including training parameters and alert sensitivities/thresholds.
AD Users¶
The Plixer ML Engine is also able to ingest user activity data and access logs and alert users to anomalous behavior through user and entity behavior analytics (UEBA) detections.
UEBA alerts for Active Directory users can be enabled by adding the credentials for a Microsoft Azure account that is configured to store AD user sign-in logs under Admin > Settings > ML AD Users.
Alerts¶
There are three categories of alert settings that can be adjusted under Admin > Settings > ML Alerts:
Microsoft Office 365 alerts
These sensitivity values adjust the magnitude of deviation from typical behavior that will trigger the corresponding alerts. A higher value allows for greater deviation, resulting in fewer alerts for the corresponding activity.
Logon Sensitivity: Unusual volumes of Office 365 login events
Unique Source Sensitivity: Traffic coming from unusual numbers of unique hosts
Unique Location Sensitivity: Traffic coming from unusual numbers of unique locations
Like inclusion sensitivities, these values should only be adjusted after assessing the accuracy of alarms/detections.
System vitals alerts
These thresholds control alerts and other actions related to high utilization of the Plixer ML Engine’s resources.
CPU/RAM/Disk Alert Threshold: Percentages at which a high utilization alert for the corresponding resource is triggered
Disk Reclaim Threshold: Disk utilization percentage at which the Plixer ML Engine will attempt to delete old indexes from Elasticsearch
Initially, these thresholds should be left at their default values. If alarms are triggered, run an ML Engine CPU, ML Engine Memory, and/or ML Engine Storage report to assess whether threshold(s) need to be increased (for temporary spikes) or additional resources should be allocated to the engine (for sustained high utilization).
Kafka lag thresholds
These thresholds manage the amount of latency tolerated by the Kafka engine before the corresponding lag alert is triggered.
Kafka Netflow Lag Threshold: Alerts for flow ingestion latency
Kafka K-means Lag Threshold: Alerts for prediction latency
Kafka Alerts Lag Threshold: Alerts triggered by automated process reconnaissance
Kafka Training Data Lag Threshold: Alerts for behavior modeling latency
Kafka UEBA Lag Threshold: Alerts for user and entity behavior analytics (UEBA) data latency
If alarms are triggered, run an ML Engine Kafka Lag report to determine whether there is a need to scale up the engine’s resources.
Data limits¶
The Plixer ML Engine’s data limit settings manage the maximum numbers of behavior models and hosts used for network/user activity patterns and prediction. The initial values set are based on the engine’s default resource configuration, but they can be adjusted under Admin > Settings > ML Data Limits.
If there are alarms associated with these limits, the engine may need to be provisioned with additional resources to sustain the current volume of inclusions.
Note
To check the utilization for the current model limit, run an ML Engine Model Count report.
Training schedule¶
The settings under Admin > Settings > ML Training Schedule determine the seasonality applied when the Plixer ML Engine ingests traffic data, allowing it to distinguish between network activity during and outside of an organization’s hours of operation.
The engine defaults to business hours of 8 am to 6 pm, from Monday to Friday. These settings can be changed after deployment if necessary.