1 Reply Latest reply: Dec 16, 2012 11:11 PM by tonyw RSS

    NDLP - average incidents for a business.


      My question is for a business of around 8000, how many incidents should I be seeing?


      I have had this question for many months now. What I have been doing is mainly focusing on reducing  false positives and I'm afraid incidents per day has dropped too low. What I have done to try to reassure myself is done a capture search for the day and compare it to the incidents for that day.


      On a normal weekday I see about 200-400 incidents. On a weekend I see 200 total. (saturday - sunday)


      How i tuned our deployment was I took the canned policies and added or removed words I didnt think were appropriate for our enviornment and generated too much incidents that were actual incidents, but false positives. Now I see about 5-30 false positives a day in a pool of 200-400 incidents.

        • 1. Re: NDLP - average incidents for a business.

          This is really a per environment question.  Your actions you stated above are valid.  Creating rules that exclude content based off common triggers isn't a bad practice.


          There are other ways to excluse if you are using say a common file by creating a signature from the file (a common document sent to customers that has trigger words).


          A more practical question would be if before you placed the exclusions in place were the valid incidents you were generating in the 200-400 range?  I realize you generated more false positives before but for the actual incidents were they in this range?  If so, I would say you don't have anything to worry about.