Adjusting your anomaly sensitivity is vital for successful Threat Detection, as it will ultimately reduce false positives and focus your security response team's efforts on true threats.
Administrators may want to manually adjust anomaly detection thresholds to control the generation of new anomalies.
Only a user with the incident manager role and with the Anomalies resource assigned can see and adjust Anomaly Thresholds or create exceptions.
IMPORTANT: Threshold adjustments may take up to two minutes to take effect in the UI and in the anomaly generation process. Threshold tuning is not applied retroactively. It only impacts anomalies in the future.
To Adjust Anomaly Thresholds:
- Go to Incidents > Anomalies > Anomalies.
- Search in the Omnibar for the following supported adjustment categories:
- Anomaly Category
- Service Name
- Under Actions, click Adjust Anomaly Thresholds.
- Use the slider to adjust the thresholds for your search term.
- Drag the slider to the right to set the higher threshold and generate fewer anomalies.
- Drag the slider to the left to set the lower threshold and generate more anomalies.
- Click Save. Otherwise, either readjust the slider to a new threshold or click Cancel to discard changes.
A message displays at the bottom of the page informing that your adjustment was made.
IMPORTANT: On the Anomalies page, the slider returns to the middle position, though your change has been made. The slider bar will always be at the middle position, but the underlying threshold value will reflect your most recent change.