03-19-2019 04:01 AM
I am not sure about the meaning of "significant profile changes" in condition of Anomalous Endpoint Detection.
If there is a profile change from a profile to its parent profile, will it be a case of Anomalous Behavior?
On the other hand, if the profile is moving from a profile to its child profile, will it be a case of Anomalous Behavior?
08-14-2019 04:17 AM
Hey @Hoi Lam So
Did you get any answers to your question (outside of this community forum) ? It's a great question and I was wondering the same thing.
08-14-2019 07:47 PM
No search from the outside Internet, there is few people to study/discuss this feature. I only did some test in my lab.
I have tried different combination. But I can't remember all result since it has been a long time ago. For your question, short answer, Yes, the anomalous still be triggered even in the same parent. When I study the log, I believe the actual trigger point is DHCP Class ID changed instead of profiled group changed.
Personally opinion, this feature shall be highlighted as a detection tools instead of policy tools. If anomalous is used in policies set, the false-positive cases will just make you crazy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide