Manage ML InclusionsΒΆ

The Admin > Alarm Monitor > Manage ML Inclusions page is used to manage hosts (and subnets) and/or Exporters for the Plixer ML Engine.

The page is divided into two subviews:

  • The By Host view consists of a table that includes the following details for each host or subnet:

    Status

    Current operational status of the host or subnet as an ML inclusion/source (green: Enabled, grey: Disabled)

    CIDR

    CIDR number

    # HOST(s)

    Number of hosts included in the subnet

    Sensitivity

    Threshold for classifying observed behavior as anomalous (lower -> less deviation required)

    Detections

    Option to use pre-trained ML algorithms for malware detection (green: Enabled, grey: Disabled)

    Last Modified

    Date and time the host or subnet was last modified

  • The By Exporter view table lists all Exporter inclusions, along with their configured sensitivity and Last Modified timestamp.

Adding hosts or subnets as inclusions

Hosts and subnets that are configured as ML inclusions/sources are monitored by the Plixer ML Engine (through Plixer Scrutinizer), whose network behavior models are based on their activity and the currently enabled dimensions.

To add a new host or subnet as inclusion for the Plixer ML Engine, follow these steps:

  1. On the By Host view, click the + button to open the Add ML Host tray.

  2. Enter the network address and select the appropriate mask for the host or subnet to be added.

  3. Select between High, Medium, and Low sensitivity from the dropdown.

Note

When setting up inclusions for the Plixer ML Engine for the first time, it is recommended to leave all sensitivity settings at their default values and make adjustments after a period of observation. The Reset button can be used to revert the sensitivity setting to its default value.

  1. If necessary, use the Malware Detections toggle to enable threat detection using pre-trained algorithms for the host or subnet.

  2. To immediately enable the host or subnet as an ML inclusion, leave the Enabled toggle as is and click the Apply button.

The settings for an existing host or subnet inclusion can be edited at any time by clicking it in the main table view.

Adding Exporters as inclusions

To add Exporters instead of hosts or subnets as ML inclusions/sources, follow these steps:

  1. Switch to the By Exporter view, and click the + button to open the Add ML Exporter tray.

  2. Select the Exporter to add from the Network dropdown.

  3. Select between High, Medium, and Low sensitivity from the dropdown.

  4. If desired, use the Malware Detections toggle to enable threat detection using pre-trained algorithms for the Exporter.

  5. To immediately enable the Exporter as an ML inclusion, leave the Enabled toggle as is and click the Apply button.

The settings for an existing Exporter inclusion can be edited at any time by clicking on it in the main table view.

Deleting inclusions

Inclusions can be completely removed from the system in either view using the Delete option in the bulk actions tray.

Note

The button to open the bulk actions tray only becomes available after one or more exclusions are selected using their checkboxes.

Additional page options

  • Filtering options can be accessed by clicking the Filters button.

  • General page options, such as the number of entries shown and export actions, can be accessed by clicking the Options (gear) button.