Showing results for 
Search instead for 
Did you mean: 
Level 7

NDLP - average incidents for a business.

My question is for a business of around 8000, how many incidents should I be seeing?

I have had this question for many months now. What I have been doing is mainly focusing on reducing  false positives and I'm afraid incidents per day has dropped too low. What I have done to try to reassure myself is done a capture search for the day and compare it to the incidents for that day.

On a normal weekday I see about 200-400 incidents. On a weekend I see 200 total. (saturday - sunday)

How i tuned our deployment was I took the canned policies and added or removed words I didnt think were appropriate for our enviornment and generated too much incidents that were actual incidents, but false positives. Now I see about 5-30 false positives a day in a pool of 200-400 incidents.

0 Kudos
1 Reply
Level 12

Re: NDLP - average incidents for a business.

This is really a per environment question.  Your actions you stated above are valid.  Creating rules that exclude content based off common triggers isn't a bad practice.

There are other ways to excluse if you are using say a common file by creating a signature from the file (a common document sent to customers that has trigger words).

A more practical question would be if before you placed the exclusions in place were the valid incidents you were generating in the 200-400 range?  I realize you generated more false positives before but for the actual incidents were they in this range?  If so, I would say you don't have anything to worry about.

0 Kudos