AI Auto Exclusion & Enrichment for Sysmon
Last updated
Last updated
AI Analysis Auto Exclusion Settings
The portal provides wide configuration options on AI auto-enrichment and auto-exclusions. The "AI Analysis Auto Exclusion Settings" should be saved before it starts to work. For that, users set the settings parameters.
Classify, Enrich & Auto-whitelist for Windows processes
Enabling/Disabling the auto-classify, auto-enrichment, and auto-whitelisting for Windows processes.
Classify, Enrich & Auto-exclude on Sysmon for Windows processes
Enabling/Disabling the auto-classify, auto-enrichment, and auto-whitelisting for Sysmon Windows processes.
Minimum Count Threshold for Auto AI Analysis Exclusions
The treshold setting for auto-analyze the artifacts.
Minimum Elastic Count Threshold for Auto AI Analysis Exclusions (optional, 0=disabled)
The elastic treshold for auto-exclusion.
Auto AI Analysis Exclusions Run Interval
The auto-exclusion run interval.
Auto AI Analysis Exclusions Last Execution
The auto-exclusion last execution time and date.
On every global interval matching along each enabled question's interval, any entry recommended to be excluded over the minimum threshold will be added to relevant exclusions by the Task automatically. The question checks Threat Intelligence Enrichments and AI Classifications to decide recommendations and excludes any value matching on 'Excluded Values from Auto Exclusions'.
The "AI Questions for Auto Exclusions" section is designed for auto-exclusion actions. Users can edit and disable/enable the automation options. We recommend allowing the "Can you identify the Windows parent processes creating excessive traffic in the last day and show them to me to add to the Lists?" question. This recommended option allows the portal to exclude parent processes that create excessive traffic on the last day. This is specifically designed for automating sysmon exclusions.
Questions having the same text combine different artifact types in a single analysis, so if you edit any configuration or interval for each of these, you'll need to edit in the same way for the others, and also make the question reflect the configuration accordingly (such as time range). Failure to edit all common with common values for configurations will break how they execute, which one will get prioritized is not pre-determined!
When you edit a Question, then you'll lose the ability to get the updates coming in newer versions for that question if they were to exist. You might then use the 'Remove & Reset' functionality to remove the question & it'll appear back with the updated state in a while. This, of course, means you'll lose your changes of it.
If exclusions are not optimized well, the portal will eventually get slower because of the junk data collection. That's why we always suggest optimizing sysmon exclusions.
The users can define values for auto exclusions. Values will be excluded from auto-exclusion by AI question executions. Also, values will be compared case-insensitively. Use * as a wildcard and ? for single character matching.
