In some cases baselining for a new user has taken place during a few weeks that aren’t representative of what the user’s real working pattern will be.
Can we tell IDR to reset a user’s baseline and start from scratch? Or is this in theory unnecessary because of “continuous baselining”? What exactly is continuous baselining?
@pkirwan resetting baselining isn’t possible, in the sense that a user cannot be removed from IDR once created. However, the baselining period simply mutes certain alerts shown here Alerts | InsightIDR Documentation
Essentially if a user accesses certain machines or accounts during the baselining period, these alerts won’t fire.
But if they perform the same actions after the baselining period, the alerts also wouldn’t fire as IDR has already observed the action, for example if a Restricted asset authentication reoccurs it wouldn’t fire an alert after the baseline is over. Unless a user doesn’t log into that asset for 90 days, after which point if they logged in again the Restricted Asset auth - new user would fire again.
For the majority of baseline activity its a 90 day window for actions to reoccur or be reset.
Thanks for taking the time to reply
Am i right in understanding you that after the initial 21/14 days of baselining, the baseline of expected behaviour is just whatever happened in the last 90 days?
If so and since we have no way of resetting the baseline clock it’s just a case of waiting right?
Yes thats correct, in theory we could have Engineering delete a user, but thats not the typical (or recommended) course of action here.