How can we finetune the the file activity of the the threat indicators on individual servers.
We have some servers in our environment that triggers on specific occasions, as false positives.
One instance is SCCM servers, which triggers when updates are modified and prepared.
Another is a large fileserver that has some batchjob running at intervals modifying large amount of files.
Could turn them off, but would like to check if I’m able to finetune this to get less false positives.
I see there is additional settings to exclude paths, Enable I/O detection patterns and training dataset size.
The two last ones I cannot find any clear documentation on what they do. Maybe someone has some more information?
