Enabling and disabling outliers detection locally on a Collector

Run outliers detection on a single collector to evaluate only that collector's data.

Before you begin

  • It is strongly recommended that you enable outliers only on 64-bit collectors with a minimum of 24 gigabytes of memory.

About this task

Restriction: Outliers detection and Data Level Security cannot be enabled concurrently.

Outliers detection is disabled by default. Follow the steps described below to enable or disable outliers detection locally on a collector. When outliers detection is enabled locally on a collector, its data is not combined with the data on its aggregator.

To identify a collector that is running outliers mining locally, access the outlier mining status window, and look at the row of the individual collector (not under the aggregator). The column Outlier Mining Enabled/Disabled shows green.

To change a outliers detection from local to the aggregator, disable outliers detection locally, disable outliers collection on the aggregator, and refresh the list of collectors by re-enabling outliers detection on the aggregator.

Procedure

  1. Log in to the collector as a user or administrator with the CLI role.
  2. To enable the outliers detection function, enter: 
    grdapi enable_outliers_detection schedule_interval=1 schedule_units=HOUR DAM_FAM=DAM
    where:

    • FAM_DAM is an optional parameter specifying the type of outliers. The default is DAM.

  3. To disable the outliers detection function, enter: 
    grdapi disable_outliers_detection

Results

The system starts collecting outlier data. Once the learning has completed (7 days), outliers data is available in the Investigation Dashboard (see Interpreting data outliers in the investigation dashboard and Interpreting file activity outliers), and the Outlier Analytic List Report.

Parent topic: Outliers Detection
Related information:
GuardAPI Outliers Detection Functions