ML Configuration
Go to the Virtual Security Analyst > ML Configuration page to view and edit the machine learning baseline features for the traffic anomaly detection, as well as the status of the baseline training. You can also use the page to create IP range groups. ML Configuration is not available in Sensor mode.
The ML Configuration page has two tabs:
- Source IP: Use this tab to categorize IP ranges. Each group of IP ranges can be individually trained based on the ML configuration. This allows for varying levels of severity to be applied to distinct IP ranges for custom anomaly detection.
- Default (Standalone mode) : Use this tab to view and adjust the machine learning baseline features for traffic anomaly detection and to monitor the status of baseline training.
-
Sensor Group ID (Center mode): Use this tab to set up IP ranges, each with its desired Severity and chosen features to be incorporated in the baseline. There is an additional option to specify the Sensor Group that this specific Source IP corresponds to. After changes are applied to a Source IP range in this tab, the associated Sensor Group will automatically initiate baseline retraining
The ML Configuration displays the following information:
Source IP | The source IP address of the IP range. |
Severity | The severity level assigned to the IP (Low, Medium, High or Critical). |
Number of Features | The number of features enabled in the Default tab. |
Last Modified Time | The date and time the ML configuration was modified. |
Start Training Time |
The date and time baseline training started. |
End Training Time |
The date and time baseline training was completed. |
To customize the ML Configuration page:
- In the table header, click the gear icon and select Best Fit Columns, Reset Table, or show or hide columns.
- In column header click the ellipses and select Resize to Contents or Group By This Column.
Source IP tab
When creating an IP range group, careful attention needs to be paid to the groupings and the number of features in the Source IP tab. Proper organization ensures that each IP range group functions correctly for effective anomaly detection.
Example:
The organization and categorization of IP ranges can have a significant effect on the ML baseline's functionality. In the image below, the second Source IP group is comprised of the IP range 172.19.122.0 with a Class C Netmask applied. This will mask all IPs within the range 172.19.122.0/24.
However, the broad masking of the second group, interferes with the functioning of the third Source IP group which is set up for exclusively the IP 172.19.122.220. This is because the broader second group supersedes the more specific settings of the third group.
To create an IP range group:
- Go to Virtual Security Analyst > ML Configuration.
- In the Source IP tab, click Create. The ML Configuration for Source IP pane opens.
You cannot create an IP group if the baseline is training.
- Configure the source IP settings.
Source IP and Severity
Source IP
Enter the source IP.
Severity
Select Low, Medium, High or Critical.
Device Info
Source IP Mask
The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.
Select one of the following options:
- Do Not Apply Netmask: This is the default.
- Apply Class C Netmask: /24
- Apply Class B Netmask: /16
Destination IP Mask
The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly
Select one of the following options:
- Do Not Apply Netmask: This is the default.
- Apply Class C Netmask: /24
- Apply Class B Netmask: /16
Source Device MAC Address
Source device MAC address.
Destination Device Model
Device model such as: FortiGate, Workstation, IDRAC, etc.
Destination Device Geolocation
Device geographical country such as United States.
Destination Device Category
Device category such as: NAS, Virtual Machine,Firewall, etc.
Destination Device Vendor
Device vendor such as VMware, Dell, Synology, etc.
Destination MAC Address
Destination device MAC address.
Destination Device OS
Device Operating system such as Windows, Linux, etc.
Protocol and Application Behavior
Transport Layer Protocol
UPD, ICMP, TCP, etc
Application Layer Protocol
TLS, HTTP, SMB, etc
Protocol/Application Behaviors/Action
Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc
Others
Session Packet Size
FortiNDR categorizes the packet size into 3 groups:
- Small: Less than 100 bytes
- Medium: 101- 99999 bytes
- Larger: Equal to and greater than 100000 bytes
Destination Port
Port number such as, 22, 445, none reserved port, etc.
Source Port
Port number such as, 22, 445, none reserved port, etc.
- Click Apply.
Default Tab
View and adjust the machine learning baseline features for traffic anomaly detection and monitor the status of baseline training. Typically, it will take 7 days for baseline of traffic. Choosing different features to train a new baseline will cause the ML system start another 7 day training period. The old baseline is discarded during the re-training. You will not be able to get ML detection during that time.
The CLI command |
The following features are enabled by default: Source Device IP, Destination Device IP, Destination Device Geolocation, Transport Layer Protocol, Application Layer Protocol, Protocol/Application Behaviors/Action, Destination Port. We do not recommend editing these features, unless you have strong understanding of what they do. |
The Default tab displays the following information and features:
Status |
|
Baseline Status |
The current baseline training status:
|
ML Discovery Detection |
Click to Enable or Disable baseline training. |
Latest Training Completion |
The date and time of the last baseline training. |
Feature Enabled for Learning |
|
Default Feature Configuration |
Click to enable the default ML configuration settings. |
Severity |
Select Low, Medium, High or Critical. |
Device Info |
|
Source IP Mask |
The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly. Select one of the following options:
|
Destination IP Mask |
The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly Select one of the following options:
|
Source Device MAC Address |
Source device MAC address. |
Destination Device Model |
Device model such as: FortiGate, Workstation, IDRAC, etc. |
Destination Device Geolocation |
Device geographical country such as United States. |
Destination Device Category |
Device category such as: NAS, Virtual Machine,Firewall, etc. |
Destination Device Vendor |
Device vendor such as VMware, Dell, Synology, etc. |
Destination MAC Address |
Destination device MAC address. |
Destination Device OS |
Device Operating system such as Windows, Linux, etc. |
Protocol and Application Behavior |
|
Transport Layer Protocol |
UPD, ICMP, TCP, etc |
Application Layer Protocol |
TLS, HTTP, SMB, etc |
Protocol/Application Behaviors/Action |
Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc |
Others |
|
Session Packet Size |
FortiNDR categorizes the packet size into 3 groups:
|
Destination Port |
Port number such as, 22, 445, none reserved port, etc. |
Source Port |
Port number such as, 22, 445, none reserved port, etc. |
The following features are enabled by default: Source Device IP, Destination Device IP, Destination Device Geolocation, Transport Layer Protocol, Application Layer Protocol, Protocol/Application Behaviors/Action, Destination Port. We do not recommend editing these features, unless you have strong understanding of what they do. |
Sensor Group ID Tab (Center mode)
To create a Sensor Group:
In Center mode, go to
- Go to Virtual Security Analyst > ML Configuration.
- Click the Sensor Group ID tab.
- Click Create. The Sensor Group ID pane opens.
- Configure the group settings and click OK
.Sensor Group
Sensor Group
This value is populated by the system.
Sensor Selection
Click the plus (+)sign to select the sensor and then click Close.
Feature Enabled for Learning
Default Feature Configuration
Click to enable the default ML configuration settings.
Severity
Select Low, Medium, High or Critical.
Device Info
Source IP Mask
The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.
Select one of the following options:
- Do Not Apply Netmask: This is the default.
- Apply Class C Netmask: /24
- Apply Class B Netmask: /16
Destination IP Mask
The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly
Select one of the following options:
- Do Not Apply Netmask: This is the default.
- Apply Class C Netmask: /24
- Apply Class B Netmask: /16
Source Device MAC Address
Source device MAC address.
Destination Device Model
Device model such as: FortiGate, Workstation, IDRAC, etc.
Destination Device Geolocation
Device geographical country such as United States.
Destination Device Category
Device category such as: NAS, Virtual Machine,Firewall, etc.
Destination Device Vendor
Device vendor such as VMware, Dell, Synology, etc.
Destination MAC Address
Destination device MAC address.
Destination Device OS
Device Operating system such as Windows, Linux, etc.
Protocol and Application Behavior
Transport Layer Protocol
UPD, ICMP, TCP, etc
Application Layer Protocol
TLS, HTTP, SMB, etc
Protocol/Application Behaviors/Action
Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc
Others
Session Packet Size
FortiNDR categorizes the packet size into 3 groups:
- Small: Less than 100 bytes
- Medium: 101- 99999 bytes
- Larger: Equal to and greater than 100000 bytes
Destination Port
Port number such as, 22, 445, none reserved port, etc.
Source Port
Port number such as, 22, 445, none reserved port, etc.
Status
Baseline Status
The current baseline training status:
- Baselining:The current training is still in progress.
- Baseline ready: The baseline training is done and is ready for anomaly detection.
ML Discovery Detection
Click to Enable or Disable baseline training.
Latest Training Completion
The date and time of the last baseline training.
Feature Enabled for Learning
Default Feature Configuration
Click to enable the default ML configuration settings.
Severity
Select Low, Medium, High or Critical.
Device Info
Source IP Mask
The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.
Select one of the following options:
- Do Not Apply Netmask: This is the default.
- Apply Class C Netmask: /24
- Apply Class B Netmask: /16
Destination IP Mask
The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly
Select one of the following options:
- Do Not Apply Netmask: This is the default.
- Apply Class C Netmask: /24
- Apply Class B Netmask: /16
Source Device MAC Address
Source device MAC address.
Destination Device Model
Device model such as: FortiGate, Workstation, IDRAC, etc.
Destination Device Geolocation
Device geographical country such as United States.
Destination Device Category
Device category such as: NAS, Virtual Machine,Firewall, etc.
Destination Device Vendor
Device vendor such as VMware, Dell, Synology, etc.
Destination MAC Address
Destination device MAC address.
Destination Device OS
Device Operating system such as Windows, Linux, etc.
Protocol and Application Behavior
Transport Layer Protocol
UPD, ICMP, TCP, etc
Application Layer Protocol
TLS, HTTP, SMB, etc
Protocol/Application Behaviors/Action
Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc
Others
Session Packet Size
FortiNDR categorizes the packet size into 3 groups:
- Small: Less than 100 bytes
- Medium: 101- 99999 bytes
- Larger: Equal to and greater than 100000 bytes
Destination Port
Port number such as, 22, 445, none reserved port, etc.
Source Port
Port number such as, 22, 445, none reserved port, etc.