Skip to main content

Decision points

The first part of the AI Job learning process is the Decision points selection process. When selecting decision points, we instruct the models as to what information is relevant in the decision making process.

For selecting Decision points follow the steps below:

  1. Go to the AI Jobs section, click on the AI Job for which you want to perform the Decision points selection, and go to the Feedback Page. Click the Decision points button from the top-right corner of the screen. Make sure that the job is running and event are collected.

  2. You will be provided with the full list of available data fields that can be used as Decision points by the AI Model:

  3. Select the fields you want the AI model to use as Decision points by checking the checkboxes in front of each field:

    • Selected fields are automatically added to the Decision points list built under the complete list of fields
    • You can also use the search box to search for specific field names and select them as Decision points
    info

    The AI models can understand text information only. Field with numerical values have no meaning in this context and will not be considered for making decisions. In these cases, a custom field can be created to map numerical values to text values. Some practical examples of custom fields would be:

    • IPs -> network zones / purposes / criticality
    • Ports -> name of services
    • Severity numbers -> severity levels
  4. If you want to use fields that need to be converted to text to become usable, such as numerical values, you can use the Create custom fields option to the top-right and follow the next steps:

5.1. Using the search box, select the fields you want to map (e.g.: event.severity)

5.2. In the Output values field, type in the values that you want to use as mapping policy (e.g.: high, medium, low, other)

5.3. Using the Rule section, you can define the mapping rules for each value of the field to the values defined in the previous section. E.g.:

  • event.severity=1 will be mapped to high

  • event.severity=2 will be mapped to medium

  • event.severity=3 will be mapped to low

  • anything else will be mapped to other

    5.4. Click on the Create field button from the bottom of the form once you finish the mapping. At this point, a new field will become available in the list to be used as a feature (it will have a generated tag added to the original name of the field):

    info

    Once you select the features, the AI Job will group events into buckets which will be available for viewing and feedback in the Feedback page (please refer to Concepts -> Buckets section for additional details about the bucketing concept)