Managing inclusions¶
The Plixer ML Engine models network behavior using flow data from hosts, subnets, and/or Exporters that have been defined as inclusions or sources. By default, the 20 hosts that bast match the currently enabled dimensions are automatically added as inclusions.
To further adapt network models to an organization’s unique requirements, inclusions can be added, removed, or reconfigured from the Admin > Alarm Monitor > Manage ML Inclusions page of the Plixer Scrutinizer web interface.
Configuring inclusions
When defining an inclusion for the Plixer ML Engine, the following settings must be configured:
Network address of the host, subnet, or Exporter to be added
Sensitivity value (low, medium, or high), which controls how much observed behavior must deviate from expected traffic/activity patterns for it to be considered anomalous or suspicious; Lowering the sensitivity will result in even small deviations from learned activity patterns being reported as Alarms but also increases the risk of false positives.
The Malware Detections setting enables or disables the use of pre-trained classification models to recognize and report network activity associated with common malware classes.
The Enabled toggle is used to enable or disable the host, subnet, or Exporter as an inclusion. Inclusions can be added in the disabled state and enabled at a later time.
Hint
The sensitivity setting for an inclusion can be left at its default value and later changed following a 7-day period of observation (recommended).
After the Plixer ML Engine has been deployed, it is highly recommended to review the Manage ML Inclusions page to verify that the pre-added inclusions are the best suited for modeling typical or atypical activity in the current environment. Inclusions should be added or removed as necessary.