Behavior Analytics Automated Threat Detection is an analytics engine that examines your HTTP data. It also makes use of other components, such as a WhoIs service and the Context Hub, which can add complexity to your installation. This topic provides suggestions to help you find issues if your Behavior Analytics Automated Threat Detection deployment does not provide the results you expect.
When you troubleshoot Behavior Analytics Automated Threat Detection, it is important to factor in the mode used. If mixed mode is used (Behavior Analytics Automated Threat Detection enabled on the same machine as ESA Rules, or Context Hub), you'll need to consider the memory usage and i/o of these applications when troubleshooting. Generally, when mixed mode installation is configured, Behavior Analytics Automated Threat Detection is enabled to use approximately fifty percent of the memory available, whereas ESA Rules memory usage is unbounded. Therefore, you may want to check your ESA Rules as a first step when troubleshooting in mixed mode.
If you are using mixed mode, you should also consider whether the ESA is configured for Memory Pool or Event Time Ordering. Memory Pool can impact performance, while Event time ordering can impact performance and memory usage.