Administration Guides

How To Manage False Positives and Learning Mode

Home

How to Teach Ransomware Defender about false positives - Learning Mode

Requires: Release 2.5.7 or later
NOTE: When learning mode is enabled and learning is active a lot of snapshots can be created. Monitor the snapshot usage on your cluster. Snapshots are created with 48 hour expiry by default and will clean up within 2 days.
Learning Modes
1. Full Learning Mode - This mode applies to all security events detected an no lockouts will occur and all security events will be used for learning.
2. Monitor mode list Learning Mode - This mode allows both enforcement and learning of monitor mode list entries. In this mode all security events that do Not match a monitor mode learning mode list entry will be enforced and lockouts can occur based on thresholds. For events that match an entry on the monitor mode lists learning will be applied.
  1. Use Case: Service accounts or new application work loads can be added to the monitor mode list by path, user or server IP address to allow learning mode to automatically configure settings for this workload.
Full Learning Mode
1. Enable Monitor mode (settings tab --> Thresholds) to allow user behaviors to be detected without actions taken to lockout.
2. Now enable Learning mode from the Thresholds screen once monitor mode is enabled Settings --> Threshold --> click "Automatically learn from events in monitor state". Click submit to save.
Monitor mode list Learning Mode
1. Enable Learning mode from the Thresholds screen once monitor mode is enabled Settings --> Threshold --> click "Automatically learn from events in monitor state". Click submit to save. Example screenshot below.
Leave this enabled for 2-3 business days and monitor the customized user behavior settings on the Learned Thresholds tab.
1. This is where Learning mode will place customized settings. It will also set file extension detections on the File Filter tab into a disabled state so this file extension will not be detected as Ransomware.
The process to disable Learning Mode and then enter Enforcement Mode.
1. Review user settings on the Learned Thresholds tab to approve the list of users or NFS hosts or delete entries as needed. Consult with support or accept the learned behaviours.
2. Review the File Filter list extensions that are disabled status; these extensions have been placed on the Allowed list and will not trigger a detection.
  1. Use the filter option to locate all the disabled file extensions by entering Disabled in the filter box.
  3. Review all the extensions that were detected and disabled. If they are acceptable no action needed.
  4. To change the setting on the extension to enable enforcement and detection of this file extension, you may also chose monitor mode on the file extension to allow detection, snapshot but no lockout for this file extension.
    1. 3 possible modes for each file extension enabled (full enforcement), disabled (ignored), monitor mode (detect, alert, snapshot and no lockout)
3. Disable Learning mode once the file settings are confirmed from the Settings-->Threshold tab and click submit to save. This only disables learning mode and remains in Monitor mode.
4. To enter enforce mode mode disable monitor mode from the Settings-->Threshold tab and click submit to enter enforcement mode.

How to manually flag a security Event as False Positive

Open the actions menu and select false-positive action and submit.
This will update the settings for this user. This change is real-time and will take effect immediately.
To view the settings for any custom user settings or flag as false-positive user settings click on the Learned Thresholds tab under the settings menu.

How to View or Delete a Flag as False Positive User setting

If you accidentally flagged as false positive or want to undo a user override setting. Follow these steps.

Open the Ransomware Defender Icon
Click on Settings-->Learnd Thresholds tab
Find the user setting in the list and click the delete red X to remove this setting.
NOTE: This change will take effect immediately and the ECA will be updated with the new settings for new events that are processed.

How to manually configure per-user Threat level settings with IGLS CLI

IGLS CLI commands exist to add and delete per user threat level override settings without waiting for a security event to teach.

Enter commands to create unique settings per user. This avoids the need for whitelisting users and can customize the settings per user. These settings are downloaded to the ECA cluster and processed in real-time once set as events flow through the cluster.

See Admin guide for complete documentation on the CLI commands

Global and Group-Specific Threshold Settings for False Positives

Ransomware Defender now supports the application of learned threshold settings globally or to specified user groups, in addition to individual user settings.

Enabling Global Threshold Configuration

To activate the global threshold feature, administrators must use the Eyeglass CLI command:

igls rsw genericthresholds set --enabled=true

This command enables the feature, making it accessible within the user interface for further configuration.

Applying Thresholds

After flagging an event as a false positive, the interface offers three options for applying the new threshold settings: to the individual user, to a user group, or globally across all users.

Selecting the global threshold option will present a warning to ensure the administrator is aware of the widespread impact of this action. This precaution helps prevent unintentional global changes.

After saving the selected option, the new threshold settings will be visible under the "Learned Thresholds" tab.