Excluding events from outliers detection
You can exclude events from outlier detection, for example, activity from test data.
Exclude events that match specific criteria
- In the Outliers table of the investigaion dashboard, right-click an outlier and select Ignore. The Mark Outlier Filter dialog opens.
- Enter specific values or use wildcard entries (with the * character) to define the fields you want to ignore.
- Remove any unnecessary fields by clicking the appropriate icons.
- Click OK to commit the changes.
- To include previously ignored events, view the Analytic User Feedback report, double-click the previously ignored event, and select .
For example, to ignore all activity from server 10.70.144.159, database ON1PARTR, and any database user beginning with GUARD, your dialog looks like:
Exclude events by using the Group Builder
If you have many items for exclusion, use the Group Builder and populate any or all of the
following groups as needed:
- Analytic Exclude DB User
- Analytic Exclude OS User
- Analytic Exclude Server IP
- Analytic Exclude Service Name
- Analytic Exclude Source Program
Alternatively, use GuardAPI commands to populate the Analytic Exclude groups. For example, to add
OMNISERVER to the Analytic Exclude Source Program group,
enter:
grdapi create create_member_to_group_by_desc desc=”Analytic Exclude Source Program” member=”OMNISERVER%”