- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- Manage Analytics Rules
- Tune Analytics Rules
- Find Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Analytics Engine Status
- Correlation Rules
- Threat Scoring
Troubleshoot Over-Triggering Analytics Rules
Fix analytics rules that are most likely to generate false positive results.
To ensure the analytics engine runs smoothly, the analytics engine monitors rule training and evaluation processes and prevents you from enabling analytics rules that are most likely to generate false positive results. Under the RULE INSIGHTS column, these analytics rules are marked as having Insights.
To troubleshoot an over-triggering analytics rule, tune the analytics rule with recommended exclusion expressions to limit the scope of events or event field values that trigger the analytics rule.
To find over-triggering rules, filter for analytics rule with Insights under the RULE INSIGHTS column.
For an over-triggering analytics rule, under the RULE INSIGHTS column, click Insights.
If there are no suggested exclusions available, you view a message suggesting that you review the analytics rule.
If there are suggested exclusions available, view the particular event field causing the analytics rule to over-trigger and the suggested exclusion expression that fixes the issue:
Under the FIELDS column, view the event fields causing the analytics rule to over-trigger.
Under the SUGGESTED EXCLUSIONS column, view the suggested exclusion expression that limits the event field values that trigger the analytics rule.
To copy the suggested exclusion expression to your clipboard, click
.Create an exclusion for the analytics rule and paste the suggested exclusion expression under Condition.
Enable the exclusion you created for the analytics rule.