Rule Tuning
Rule tuning and threshold customization can be performed by Armor and is included as part of the Professional and Enterprise subscription levels of the Armor XDR product. It is additionally available on a professional services basis for customers at the Basic subscription level or professional services deployments.
In all scenarios, Armor will work with you to analyze the context in which the rules operate to ensure the best possible security outcomes. This includes tuning for false positives, false negatives, and correlation use cases.
Available Tuning Mechanisms
The following mechanisms are available to tune detection and correlation rules:
Threshold Tuning
For threshold-based rules, many of these will require tuning following the initial deployment and any subsequent major change to the environment. Every environment and context is unique and our threshold-based rules are intended to be customizable to meet those dynamic requirements.
Enrichment Tuning
Some rules may require additional enrichment. Enrichment data may periodically become stale or out-of-date (such as the GeoIP/country association with a given IP network). In these cases Armor will supplement enrichment data by overriding specific datasets with current information until the upstream data sources are updated.
Explicit Allow-Listing
In some cases it may be normal or acceptable for some entities, applications, or users to take certain actions that may be considered abnormal or prohibited for other sets of entities. In these cases we’ll leverage the built-in allow-listing functionality built into all of our rules.
Explicit Block-Listing
Similarly, it may be generally acceptable for most entities, applications, or users to take certain actions but may be expressly prohibited for certain other sets of entities. In these cases we’ll use the same functionality built into all of our rules that accounts for an explicit block-list in the rule logic.
AI/ML False Positive Tuning
We can also leverage the optional advanced analytics channel and use AI/ML models to monitor the incident feedback loop for false positives. This model makes intelligent recommendations for tuning parameters and changes to rule logic where applicable.