Non-Malicious Unexpected Created Edge Anomaly describes a non-malicious unexpected created
Figure 3. Non-Malicious Unexpected Created Edge
New employees start working at a remote office. Agent 1 groups the remote branch hosts as a cluster, External windows, and the branch 1 hosts as another cluster, Inet. Because branch 2 is remote to agent 1, it groups the branch 2 hosts as another cluster, External inet. Agent 2 groups the remote branch hosts as a cluster, External windows. Because branch 1 is remote to agent 2, agent 2 groups the branch 1 hosts as a cluster, External inet, and the branch 2 hosts as a cluster, Inet.
During the initial learning period, both agents only detect FTP traffic between and among the offices. After the learning period, the employees start transferring HTTP traffic. Both agents report this new traffic as an anomaly to the controller.
A security administrator logs into the controller, reviews the anomaly from the inbox, examines the hosts' identity collected with ISE, and determines this is not malicious activity. The analyst clicks the thumbs down icon () to assign irrelevant feedback to the anomaly, and the system incorporates this feedback into the Distributed Relevance
Learning (DRL) algorithms.