AI-Triage in Detail

Is there a demo video of this feature?

The demo video below discusses the feature and shows enabling, disabling, and filtering the detections view to show only detections that have been filtered by AI.

Please keep in mind that this video was made prior to the Respond UX being available. Certain features, such as disabling and enabling AI-Triage are only available in Quadrant UX deployments. This FAQ has been updated to reflect differences between the UX's. If you are unsure of your UX, please see Vectra Analyst User Experiences (Respond vs Quadrant).

What Vectra products does AI-Triage apply to?

NDR (formerly Detect for Networks)
IDR for Azure AD (formerly Detect for Azure AD)
CDR for M365 (formerly Detect for M365)
CDR for AWS (Formerly Detect for AWS)
CDR for Azure
- This product is only available for RUX deployments.

How is AI-Triage enabled?

RUX Customers

AI-Triage is an integral part of AI-drive Prioritization and cannot be disabled. Please see AI-driven Prioritization FAQ if you have more questions about how AI-driven Prioritization works.

New QUX customers:

AI-Triage is automatically turned on for new customers.
- New customers are defined as having had less than 10 detections in the last 30 days.

Existing QUX customers:

A single setting available in your Vectra Brain controls AI-Triage.
- Navigate to Settings and edit the "Automatic AI Triage" setting to toggle the feature "On" and then save the setting to enable it:

How can AI-Triage be disabled (QUX customers only)?

Simply toggle the setting off and save your choice to disable most AI-Triage technologies.
- You will be asked to confirm your choice.
- Please see the 3rd entry in this section about disabling AI-Triage for more details around why not all AI-Triage technologies can be disabled.
If you have detections that have been previously triaged by AI-Triage, you will be offered a choice of how to treat those detections:

If you choose to turn off AI filtering, detections that were triaged by the feature can either be reprocessed through any other existing triage filters that you may have created, or you can leave them as having been filtered by AI.
- Restoring detections will reprocess them through existing triage filters and can impact scoring for associated Hosts.
- Leaving existing detections as they are means that they will still be labeled the same way they are currently and have no scoring impact.
- As seen in the screenshot, it is possible that not all detections, that were filtered by AI-Triage, can be restored.
  - This is due to the fact that there are several different underlying processes that all play a part in AI-Triage.
  - In v9.3 and later versions of QUX, there is new AI-Triage technology that used to only apply to RUX deployments that will now apply to QUX deployments.
    This new technology cannot be disabled and you may see some network detections that are AI-Filtered even with the setting for AI-Triage disabled.
    The previous AI-triage technology still runs and is controlled by the enablement setting.

When does AI-Triage run?

AI-Triage requires 14 days of historical data in the system before it can create rules automatically.
For network detections, after AI-Triage is turned on, it runs every evening starting at 6:45PM (local Brain time).
- As of v9.3 some network detections will be processed by AI-Triage as they are created while others will still happen daily.
The initial run may take longer than subsequent runs so we suggest looking the next day for any changes.
For cloud based detections (CDR for AWS, CDR for Azure, CDR for M365, IDR for AAD), detections are processed by AI-Triage as they are created.
- There is no periodic run like there is for network detections.

What detections are processed by AI-Triage?

AI-Triage initially examines all detections to look for patterns that may indicate benign behavior. This includes active, inactive, triaged, etc.
After the initial run, AI-Triage will examine any new network detections that have occurred since the last run.
AI-Triage processes most network detections in the C2, Exfil, Recon, and Lateral Movement categories.
AI-Triage processes most CDR for M365 and IDR for AAD detections.
AI-Triage most CDR for AWS detections.
AI-Triage process most CDR for Azure detections.

How does Vectra determine which detections should be filtered by AI-Triage?

Through customer interviews and data science, Vectra has identified several high-confidence scenarios where benign behaviors exist. In these scenarios, customers would typically create their own Triage filters. We worked with analysts to understand how they identify these scenarios, and how they build rules to filter these detections. By leveraging some of the same AI techniques Vectra is known for, we are able to automate this process.
Essentially, AI-Triage looks for persistent commonalities in detections that could indicate the behaviors identified are benign in nature.

How does AI-Triage interact with other triage filters?

AI-Triage filters take precedence over other customer created filters.
- One of the main goals of the feature is to remove much of the need for customers to create and manage triage filters of their own.
- After a time, you may notice that many pre-existing triage filters stop firing altogether and may be able to be removed entirely.
Since AI-Triage has precedence over any other filter type, behaviors that created detections in the past may now be filtered by AI-Triage instead of customer created triage filters.
- This would result in the naming of detections that showed in the UI to now be labeled as "AI-Filtered (original detection name)" instead of the name that you created in a triage filter. Scoring would not be impacted as both AI-Triage and user created Triage filters zero out scores for matching detections. Only the naming that is displayed can change.
- Turning off AI-Triage and reprocessing detections would be a way to restore the prior behavior.

What impact could AI-Triage have on whitelist filters?

Vectra strongly discourages the use of whitelist filters for a number of reasons:
- Context - Whitelist filters hide detections from the UI entirely. This eliminates the possibility of analysts gaining context for normal behaviors that host or account performs. Sometimes this context can help analysts better understand other detections and patterns of behavior.
- Scoping - Since whitelist filters are hidden from the UI it is more difficult for analysts to realize that a whitelist filter may have been scoped incorrectly and may be applied more broadly than required. If a triage filter rule is used instead of a whitelist filter, the scoring impact will be the same but the analyst will have the opportunity to see behaviors that maybe should not have been filtered out entirely.
- Visibility - Vectra analysts have observed times where a filter that correctly identifies benign behavior most of the time, can also catch malicious behavior. For example, lets say you have a filter that catches External Remote Access using Teamviewer. Most of the time this use is benign, but if you have a whitelist filter, you will never see the time that Teamviewer was used maliciously. Using a triage filter instead, you will at least see that behavior and may notice something different about the detection even if it isn't scored.
Vectra no longer allows whitelist filters to be created from a detection screen. It is still possible to create them from the Manage > Triage Filters screen.
Since AI-Triage has precedence over any other filter type, it can impact whitelist filters that you have in place by taking detections that you have created filters for and making them now visible as "AI-Filtered (original detection name)".
- Turning off AI-Triage and reprocessing detections would be a way to restore the prior behavior.

How can I see why a detection has been filtered by AI-Triage?

When viewing a detection, the reason for the filtering will be shown in the top left of the detection detail page:

How can I see detections that have been filtered by AI-Triage?

AI-Filtered detections can be isolated by using the Basic Search filter for Status: Filtered by AI:

An Advanced Search filter that includes detection.filtered_by_ai:true will also return results (Quadrant UX only):

If you would like to filter detections in the Vectra API that were filtered by AI-Triage you can match detections which have the custom_detection attribute set to AI-Filtered as shown below:

custom_detection:AI-Filtered
No. AI-Triage is a global setting that is either on or off for the entire set of Hosts/Detections processed by your Vectra Platform (Brain).

Can customers exclude certain entities from having their detections filtered by AI-Triage?

No. AI-Triage is a global setting that is either on or off for the entire set of entities processed by your Vectra deployment.

PreviousAttack Graph FAQ NextSuspect Protocol Activity detections (feature overview)

Last updated 4 minutes ago

Was this helpful?

Good evening

hashtagIs there a demo video of this feature?

hashtagWhat Vectra products does AI-Triage apply to?

hashtagHow is AI-Triage enabled?

hashtagRUX Customers

hashtagNew QUX customers:

hashtagExisting QUX customers:

hashtagHow can AI-Triage be disabled (QUX customers only)?

hashtagWhen does AI-Triage run?

hashtagWhat detections are processed by AI-Triage?

hashtagHow does Vectra determine which detections should be filtered by AI-Triage?

hashtagHow does AI-Triage interact with other triage filters?

hashtagWhat impact could AI-Triage have on whitelist filters?

hashtagHow can I see why a detection has been filtered by AI-Triage?

hashtagHow can I see detections that have been filtered by AI-Triage?

hashtagCan customers exclude certain entities from having their detections filtered by AI-Triage?