ML rules

The Admin > Alarm Monitor > ML Rules page is the management view for inclusion and exclusion rules for the Plixer ML Engine.

Inclusions and exclusions are managed in separate subtabs.

Note

The Plixer ML Engine is part of the Plixer One Enterprise solution. Contact Plixer Technical Support to learn more.

Managing inclusion rules

The Inclusions tab defaults to the By Host subview, which lists the following details for all current host/subnet inclusions:

Status

Current state the inclusion is set to (green: Enabled, grey: Disabled)

CIDR

CIDR number

# HOST(s)

Number of hosts included in the subnet

Sensitivity

Sensitivity setting for the inclusion

Detections

Optional malware detections (green: Enabled, grey: Disabled)

Last Modified

Date and time the rule was last modified

The By Exporter subview (accessible via the dropdown) lists the following details for all current exporter interface inclusions:

Status

Current state the inclusion is set to (green: Enabled, grey: Disabled)

Sensitivity

Sensitivity setting for the inclusion

Last Modified

Date and time the rule was last modified

Adding an inclusion rule for a host or subnet

Additional host inclusion rules can be defined from the By Host subview as follows:

  1. Click the add (+) button to open the Add ML Host tray.

  2. Enter the network address and select the appropriate netmask for the host/subnet to be added.

  3. Select the sensitivity setting for the inclusion.

  4. [Optional] Enable threat detection using pre-trained algorithms for the host/subnet with the Malware Detections toggle.

  5. [Optional] To add the inclusion rule in a disabled state, use the Enabled toggle.

  6. Click the Save button to save the rule configuration.

Once created, new host inclusion rules will be added to the list in the By Host subview under the network address specified. Settings for existing host inclusion rules can be modified at any time by clicking on the edit (pencil) icon in the details/configuration tray.

Adding an inclusion rule for an exporter Interface

Additional exporter inclusion rules can be defined from the By Exporter subview as follows:

  1. Click the add (+) button to open the Add ML Exporter tray.

  2. Select the exporter to add from the Network dropdown.

  3. Select the sensitivity setting for the inclusion.

  4. [Optional] To add the inclusion rule in a disabled state, use the Enabled toggle.

  5. Click the Save button to save the rule configuration.

Once created, new exporter inclusion rules will be added to the list in the By Exporter subview under the exporter interface specified. Settings for existing exporter inclusion rules can be modified at any time by clicking on the edit (pencil) icon in the details/configuration tray.

Deleting inclusion rules

Inclusion rules can be deleted from either subview by selecting one or more rules in the list/table, and then selecting the Delete option in the bulk actions tray.

Alternatively, inclusion rules can instead be disabled (either individually or as a bulk action) to retain the definitions.

Note

The Bulk Actions button is only available when one or more items are selected in the main table/view.

Managing exclusion rules

The Exclusions tab lists the following details for all current exclusion rules:

Source

Source address

Host(s)

Hosts included in the source address

Destination

Destination address

Host(s)

Hosts included in the destination address

Detections

Number of detections ignored for the rule

Last modified

Date and time the rule was last modified

Adding an exclusion rule

An exclusion rule can be defined from the Exclusions tab as follows:

  1. Click the add (+) button to open the Add Exclusion tray.

  2. Configure the source network address.

  3. Configure the destination network address.

  4. Under Detections, select the detections that should should be ignored for the specified traffic.

  5. Click the Save button to save the rule configuration.

Once created, new exclusion rules will be added to the list in the main view of the Exclusions tab. Settings for existing exclusion rules can be modified at any time by clicking on the edit (pencil) icon in the details/configuration tray.

Note

0.0.0.0/0 can be used as the source or the destination to exempt all incoming/outgoing traffic to/from the paired address from the selected ML detections.

Deleting exclusion rules

Exclusion rules can be deleted from the main Exclusions list/table by selecting one or more rules, and then selecting the Delete option in the bulk actions tray.

Alternatively, exclusion rules can instead be disabled (either individually or as a bulk action) to retain the definitions.

Note

The Bulk Actions button is only available when one or more items are selected in the main table/view.