How are Anomaly Baselines built for Prisma Cloud Anomaly Policy Detection and How can they be Modified?
8974
Created On 04/17/23 03:44 AM - Last Modified 04/21/23 06:49 AM
Question
- How are Anomaly Baselines built for Prisma Cloud Anomaly Policy Detection and How can they be Modified?
Environment
- Prisma Cloud Enterprise Edition
Answer
- Prisma Cloud builds the Data Model by using Audit and Network Flow Logs to set the Baseline for what are Normal trends in a Network on the basis of training thresholds configured in Prisma Cloud Enterprise and Anomaly Settings
- Once the Baseline is established, it starts to categorise Traffic and generate Alerts accordingly
Most Frequently Asked Questions elaborating this:
Q1. Is the Baseline creation a continuous process? How does Prisma Cloud recreate a baseline record when a new user is identified?
- Yes, baseline creation is a continuous process
- Once a new user has been identified, Prisma Cloud checks for the number of events and the number of days since the first event
- Once number of days and number of events meet the model building thresholds selected, it builds a model for the user and the user will be ready for detection
Q2. If the user Data Model is already created, how to relearn it for the user?
- By changing the model building threshold from one level to the other
- However, this will be for all the recorded the data
Please note, user activity earlier than 120 days are purged from the DB. DB only retain the recent 120 days of data in case you want to rebuild the model for an existing user. The new model would capture the user behavior from the initial n days (n defined by the model thresholds) of the data that are stored in the DB
Example:
- Let’s say a user (subject) is active since Jan 1st, 2022
- A model will be built after Mar 30th, 2022 (assuming one configured a HIGH setting for model building - 90 days and 300 events) provided there were 300 events. Both the conditions must fulfil. If 90 days are over and events are still not 300, then PC wait till user has reached 300 events. This model will be used for the detection of all future events if there is no change in model settings
- As mentioned earlier, the data retention period for audit_logs is 120 days
- For a tenant, DB retains only the recent 120 days of data and drop the older data
- If we rebuild a model by changing the settings now(on 15th March, 2023) and since the model was built in March, 2022, the older data are already purged
- Therefore, PC will use the initial 90 days of data(from latest 120 days of data in the table), which would contain data from Nov 15th, 2022 (approx) till Feb 15th, 2023 (approx) - 90 days for building a new model
Q3. Can one reconfigure or update the learning of Data Model with the new data by changing the Training Model i.e. By changing from Medium to Low or Low to Medium and Saving (in case one wants to keep the model to Medium)?
- Yes, Data will have some changes if the user has been active for more than 90 days
- The new data might be different compared to the data considered earlier for the model building
- However, Data might not see significant changes if the user is new or has a model recently built
- The new model will be similar to the earlier model (considering the same model building level - low / medium / high)
Q4. As the Training model for Medium is 30 days, does one stop seeing the Alerts generated from the moment one make the changes? Or does it continue to generate Alerts from Previous Learning?
- It depends on the data available in the DB
- If the user immediately satisfies the condition based on the earlier activity, then a new model will be built, and the user will be ready for anomaly detection
- If not, one needs to wait till the user generates more events and satisfies the conditions
Q5. Where can one see the status of this learning if it is currently in place?
- At this time, this feature is only available to our Customer Success Engineers (CSEs)
Q6. For Alert Suppression, is it possible to combine different Trust List Types for suppressing alerts? For example, if you want to suppress Alerts from different users while accessing a specific Cloud Service, does one have a way to create Trust List which considers Cloud Service Type with the Subject?
- At this point, we do not support Trusted Lists in combinations