Administration Guides

How to Enable Learning Mode and Monitor Learning mode Results

Home

How to Teach Ransomware Defender about false positives - Learning Mode

  1. Requires: Release 2.5.7 or later
  2. NOTE: When learning mode is enabled and learning is active a lot of snapshots can be created. Monitor the snapshot usage on your cluster.  Snapshots are created with 48 hour expiry by default and will clean up within 2 days.
  3. Learning Modes
    1. Full Learning Mode -  This mode applies to all security events detected an no lockouts will occur and all security events will be used for learning. 
    2. Monitor mode list Learning Mode -  This mode allows both enforcement and learning of monitor mode list entries.    In this mode all security events that do Not match a monitor mode learning mode list entry will be enforced and lockouts can occur based on thresholds.  For events that match an entry on the monitor mode lists learning will be applied. 
      1. Use Case:  Service accounts or new application work loads can be added to the monitor mode list by path, user or server IP address to allow learning mode to automatically configure settings for this workload.
  4. Full Learning Mode  
    1. Enable Monitor mode (settings tab --> Thresholds)  to allow user behaviors to be detected without actions taken to lockout.
    2. Now enable Learning mode from the Thresholds screen once monitor mode is enabled Settings --> Threshold --> click "Automatically learn from events in monitor state". Click submit to save. 
    3.   
  5. Monitor mode list Learning Mode  
    1. Enable Learning mode from the Thresholds screen once monitor mode is enabled Settings --> Threshold --> click "Automatically learn from events in monitor state". Click submit to save.   Example screenshot below.
    2.  
  6. Leave this enabled for 2-3 business days and monitor the customized user behavior settings on the Learned Thresholds tab.
    1. This is where Learning mode will place customized settings.  It will also set file extension detections on the File Filter tab into a disabled state so this file extension will not be detected as Ransomware.
    2.  
  7. The process to disable Learning Mode and then enter Enforcement Mode.
    1. Review user settings on the Learned Thresholds tab to approve the list of users  or NFS hosts or delete entries as needed.   Consult with support or accept the learned behaviors.
    2. Review the File Filter list extensions that are disabled status, these extensions have been placed on the Allowed list and will not trigger a detection. 
      1. Use the filter option to locate all the disabled file extensions by entering Disabled in the filter box.
      2. Review all the extensions that were detected and disabled.  If they are acceptable no action needed.
      3. To change the setting on the extension to enable enforcement and detection of this file extension, you may also chose monitor mode on the file extension to allow detection, snapshot but no lockout for this file extension.
        1. 3 possible modes for each file extension  enabled (full enforcement), disabled (ignored),  monitor mode (detect, alert, snapshot and no lockout)
    3. Disable Learning mode once the file settings are confirmed from the Settings-->Threshold tab and click submit to save.   This only disables learning mode and remains in Monitor mode.
    4. To enter enforce mode mode disable monitor mode from the  Settings-->Threshold tab and click submit to enter enforcement mode. 
© Superna LLC