To detect suspicious activity efficiently, you must rule out activity
that is not significant early in the detection process. This approach
helps you to filter unimportant events and focus on attacks that are
significant. Rule out suspicious activity that is caused by the following
activities:
- Unauthorized activity that, according to your security policy,
does not require an in-depth investigation or response
- Authorized or normal activity that appears suspicious, but is
harmless
Quick reference for tasks
- If you know when authorized scans are scheduled to run, and the SecurityFusion™ Module
is not enabled, then create an exception that filters the scan activity
from the Console before the scan runs. See Create exceptions to filter scan activity.
- If you do not know when
authorized scans are scheduled to run, but you suspect that a third-party
scan is running, then identify the authorized scan by analyzing the
event details. Create an exception that filters the activity from
your Console.
- If you suspect that activity is caused by a misconfigured system,
see Identify activity caused by incorrectly configured systems
- If you suspect that activity is caused by authorized activity
that is commonly identified as suspicious, see Normal activity commonly identified as suspicious