Tune "Unconventional Protocol Communication" detections by port or protocol

Tune “Unconventional Protocol Communication” detections by port or protocol.

It would be great to be able to tune “Unconventional Protocol Communication” detections in a more granular way. Currently the tuning seems to be “this attacker, this victim ignore all unconventional protocols.”

It would be great to able to say, for example “SMTP/SSH between these two servers is OK from now on.”

Or even better would be some global rulesets that say “this specific port type to this victim server is always OK”

I’m not sure if the current product design is based on learning this automatically and stopping firing these detections?

1 Like

Hi @security2 !

We’re exploring new detection filtering and hiding options to enable more effective triage and prioritization.

Unconventional Protocol Communication detections leverage ML-inferred similar devices groups to detect unusual protocols on a device. If you click on the detection card, you should see a chart that compares the anomalous behavior of the offender with its similar devices.

This detector is designed to continuously learn from observed data, so if you see repeating detections, or if the similar devices don’t look right, please reach out (via support); we’d love to take a closer look.