Automated Threat Detection is an analytics engine that examines your HTTP data. It also makes use of other components, such as a WhoIs service and the Context Hub, which can add complexity to your installation. This topic provides suggestions to help you find issues if your Automated Threat Detection deployment does not provide the results you expect.
When you troubleshoot Automated Threat Detection, it is important to factor in the mode used. If mixed mode is used (Automated Threat Detection enabled on the same machine as ESA Rules, or Context Hub), you'll need to consider the memory usage and i/o of these applications when troubleshooting. Generally, when mixed mode installation is configured, Automated Threat Detection is enabled to use approximately fifty percent of the memory available, whereas ESA Rules memory usage is unbounded. Therefore, you may want to check your ESA Rules as a first step when troubleshooting in mixed mode.
If you are using mixed mode, you should also consider whether the ESA is configured for Memory Pool or Event Time Ordering. Memory Pool can impact performance, while Event time ordering can impact performance and memory usage.
|I'm seeing too many alerts (false positives).||Several|| |
One possible cause is that the Whois lookup is failing or is not configured. The Whois lookup is helpful in determining whether a URL is valid, and if the connection fails or is not properly configured, it can result in false positives.
There are a number of counters for the Whois Lookup service you can view.
Below are a few useful counters to check:
|You may need to whitelist URLs. Sometimes the legitimate behavior for a URL triggers an alert. One way to prevent this from occurring is to add the URL to the whitelist. For instructions on doing this, see "Reduce False Positives" in Work with Automated Threat Detection Results.|
|I'm not seeing any alerts.||The ESA requires a "warm-up" period when you enable Automated Threat Detection.||When you enable Automated Threat Detection, there is a "warm-up" period, during which no alerts are viewable. The default time period is 24 hours. After this 24 hour learning period, alerts can be viewed. If the ESA restarts, this learning period starts over, and you will need to wait the specified warm-up time to view alerts.|
|I'm seeing performance issues (more resource usage or a drop in throughput).||Several||If you are having performance issues on an ESA that is also running ESA rules, follow the troubleshooting steps for rules. ESA rules are unbounded, whereas Automated Threat Detection is configured to use a specified amount of resources (usually approximately 50%). For these troubleshooting steps, go to Troubleshoot ESA.|