Before defining and building a model, review the following considerations:
You can create and delete models, but you cannot modify them.
You can define as many models as you want, but you can only build one model at a time.
When you define the model, you should set the date range wide enough (more than 168 hours) so that the model includes a variety of device behaviors, including cyclical patterns.
Because the scoring algorithm is based on peer group analysis, Micro Focus recommends that you include similar devices in a model, based on activity. For example, you might want to create separate models for scoring endpoints, scoring DNS servers, and scoring databases.
Each model definition applies a filter where Source Address != NULL.
When you build a model, Outlier Analytics adds a lookup list of the same name to Configuration > Lookup Lists. You cannot view or edit this list. When you delete the model, the lookup list also gets deleted.
The auto-complete functionality is temporarily unavailable in search input. The following columns are available for outliers filtering in the Search feature:
Source Address of <Model_Name>
Base Event Count Score of <Model_Name>
Bytes Out of <Model_Name>
Bytes In of <Model_Name>
<Model_Name> corresponds to the model name being scored.