Auto tuning of threats

Products Threat Manager Ideas
, ,
1

What is a one sentence summary of your feature request?

We’d like to have a button that tunes threats based on our environment size.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

The idea is to have a button that auto tunes threats based on the AD sync data NTM collects. When clicked this button will adjust threat settings and provide a more optimal threshold per threat.

Ex. Fast password spraying triggers on 10 failed auths by default currently, for very large enterprise customers this is a disaster. After being clicked this button would change the setting to 500 for example.

This idea is the best solution because it’s the most time-efficient option to tune environments quickly and accurately.

How do you currently solve the challenges you have by not having this feature?

Currently we have to work with support and professional services to tune our threats. This is very time-intensive, and we’d like an option to do it without support intervention.

2 Likes
2

I second this idea, I think this could add a lot of value to Threat Manager.
I thought about how we could implement it within Threat Manager and came up with this.
Bear in mind it’s my developer’s thoughts on paper and nothing official.

:shield:The vision:

  • We would generate stats from our database on recent threats over time, similar to what UEBA does.

Example:

  • Calculate environment size based on user count in Threat Manager.
  • Assess if the number of threats aligns with what’s expected for that size using dynamic thresholds.

If certain threat types exceed these thresholds, they’d enter an auto-tuning phase.

In this phase, we’d analyze factors like perpetrator and client, then automatically add filters for the major offenders—using a mix of math and stats.

:sparkles: How It Would Look:

We could offer users two tuning methods: a fully automatic one-click option and a manual approach.

The image shows a user interface from Netwrix Threat Manager, highlighting the auto tuning process for threat detection and featuring options to automatically tune or manually adjust security alerts. (Captioned by AI)
The image shows a user interface from Netwrix Threat Manager, highlighting the auto tuning process for threat detection and featuring options to automatically tune or manually adjust security alerts. (Captioned by AI)1197×806 8.82 KB

We’d support automatic filters for all threats as a baseline and develop specific ones for each unique threat type.

:wrench: Usage:

  • Automatically Prompted Once: The auto-filter would pop up once upon the next admin login after deployment for existing users. After that, it wouldn’t show automatically again.
  • Access: Users could find the option anytime via Cog Wheel → Auto Threat Tuning.

A cool additional feature might be non-intrusive notifications for manual Threat Tuning.

The image depicts a notification from a Threat Manager indicating the detection of 60 LDAP Filter threats, highlighting that 78% were attributed to mydomainser, with options to either filter this user or discard the alert. (Captioned by AI)
The image depicts a notification from a Threat Manager indicating the detection of 60 LDAP Filter threats, highlighting that 78% were attributed to mydomainser, with options to either filter this user or discard the alert. (Captioned by AI)511×489 5.87 KB

(This is a very badly drawn notification bell)

After Tuning: A Summary:

If we implement LLM in Threat Manager down the line, an AI could generate user-friendly summary of tuning actions. Otherwise, we can keep it simple with a table summary.

Importantly, we should log all auto-tuning activities in the database for debugging and tracking later on.

2 Likes