I am interested in tuning Automated Threat Detection in v11.2 when using a packet source. My specific environment is large and includes 2 layers of forward proxies and a load balancing VIP which causes many issues involving duplicate traffic in the standard suspicious domains module workflow. Unfortunately using the proxy logs is not an option.
Is there any existing guide to fine tuning?
Specifically I am interested in exploring:
whitelisting source IP addresses to remove content duplication from VIPs and some proxy layers,
changing weightings on profiling items like "Has few source IP connections"
adding the proxy's specific user agent strings so it does not trigger "Connections with rare user agent" when it performs content fetching on behalf of the client.
Any assistance appreciated.