The Detected Alert Sequence Patterns is categorized into two sections:
- ML Sequence - The ML detected alert sequence from the last three months of the data.
- User Sequence - Manually specify an alert sequence for correlation instead of using machine learning.
You can find the unmodified alert sequence patterns discovered from the last three months of alert data. You can also learn or unlearn an ML trained alert sequence from the ML Sequence section.
Also, you can upload a training file in CSV format in the User Sequence section to heuristically specify an alert sequence for correlation instead of using machine learning to discover alert sequence patterns. You can directly edit the data saved in the training file in User Sequence instead of downloading the file and making the changes.
Access ML Sequence or User Sequence section
Note - You can view the new UI only after the ML is retrained.
To access ML Sequence:
- From All Clients, select the client.
- Go to Setup > Alerts > Alert Correlation.
- From the ALERT CORRELATION POLICIES page, select a policy name for which the ML Status is displayed as READY.
- In the VIEW ALERT CORRELATION POLICY section, click Detected alert sequence patterns.
- You can view the ML Sequence tab in the Detected Alert Sequence Patterns page.
- You can view the User Sequence tab in the Detected Alert Sequence Patterns page.
- If you turn off the Enable Continuous Learning from the VIEW ALERT CORRELATION POLICY page, you can view only the User Sequence from the Detected Alert Sequence Patterns page as shown below:
Learn or Unlearn an Alert Sequence
- In the Detected alert sequence patterns page, select ML Sequence.
- From the drop-down list, select All, Learn, or Unlearn. The page displays a list of alert sequences from which you can select an alert sequence to learn or unlearn.
- Select an alert sequence which you do not want to correlate and click Unlearn. The selected alert sequence will be unlearned and moved to the Unlearn section.
- Select an alert sequence which you want to correlate and click Learn. The selected alert sequence will be moved back to the Learn section.
Note - Once we learn or unlearn any new sequences, the changes may take up to 60 minutes to become effective. Till that time, alerts will continue to be correlated (or not correlated when we learn a new sequence) in the same way as it was before this change.
Edit/Modify Training Data
From the User Sequence:
Upload the CSV training file.
Once the file is uploaded, a dialog box is displayed which indicates that the training is under process from the last three months of data:
You can edit the existing data using the Edit option.
Click Delete to delete the existing CSV training file.
Once you edit the training data, you can add multiple rows or save the training data as shown below:
Enabling continuous learning (or) the training data file is mandatory for ML policy.