Excluding events from outliers detection

You can exclude events from outlier detection, for example, activity from test data.

Exclude events that match specific criteria

  1. In the Outliers table of the investigaion dashboard, right-click an outlier and select Ignore. The Mark Outlier Filter dialog opens.
  2. Enter specific values or use wildcard entries (with the * character) to define the fields you want to ignore.
  3. Remove any unnecessary fields by clicking the appropriate remove icons.
  4. Click OK to commit the changes.
  5. To include previously ignored events, view the Analytic User Feedback report, double-click the previously ignored event, and select Invoke > delete_analytic_user_feedback.

For example, to ignore all activity from server 10.70.144.159, database ON1PARTR, and any database user beginning with GUARD, your dialog looks like:

Define Outlier Response dialog example

Exclude events by using the Group Builder

If you have many items for exclusion, use the Group Builder and populate any or all of the following groups as needed:
  • Analytic Exclude DB User
  • Analytic Exclude OS User
  • Analytic Exclude Server IP
  • Analytic Exclude Service Name
  • Analytic Exclude Source Program
The Group Builder has options for bulk uploading including the ability to populate from a query on a custom table.
Manage Members for Selected Groups dialog example
Alternatively, use GuardAPI commands to populate the Analytic Exclude groups. For example, to add OMNISERVER to the Analytic Exclude Source Program group, enter:
grdapi create create_member_to_group_by_desc  desc=”Analytic Exclude Source Program” member=”OMNISERVER%”