Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LucianLS
Participant

Activation mode - Confidence vs Severity

Hello!

I am a bit confused about applying criterias of Severity and Confidence

Current settings are like this:

-Active Protections - Severity - Medium and above

-Activation mode:

   High Confidence-Prevent,

   Medium Confidence-Prevent

   Low Confidence-Detect

 

I noticed a security event at a customer with Confidence-Low and Severity-Critical . The action was Detect, despite the Severity being Critical (so included in Medium and above).

So even if Severity is above threshold, it still only activates if the Confidence level is met?

Is there a way to activate the Prevent action with Low Confidence setting when Severity level alone meets the set thresold? Or do you think that would still cause a lot of false positives.

 

0 Kudos
2 Replies
G_W_Albrecht
Legend Legend
Legend

See Threat Prevention R81.10 Administration Guide p.55: Confidence level sets the action of each protection, and it is used to reduce false-positives - so even if Severity is above threshold, it still only activates if the Confidence level is met.

I would suggest to set the Low Confidence setting to inactive. as Detect puts the same load on the GW as Prevent...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Chris_Atkinson
Employee Employee
Employee

For additional context on confidence levels please also see sk116254.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events