After you manage your agents with the controller, allow the system to run for seven days,
inspect your network traffic, and build a baseline traffic model.
The Learning Network License system identifies anomalies by comparing
detected traffic to the baseline model, and noting deviations. After system deployment,
each agent inspects traffic traversing the router. During
this initial learning phase, the agent builds a baseline traffic model. The model includes dynamically-generated clusters of
hosts, and what types of application traffic are transmitted between clusters at what
times of day.
If you log into the
UI while the system is learning about your network, you may see very few or no
reported anomalies, as the system cannot compare against a baseline yet.
Towards the end of the initial learning phase, the system may start reporting
anomalies, but without a complete baseline, these anomalies may not be
relevant. After the initial learning phase, when each
completes its baseline model, the system can properly identify anomalous
traffic that deviates from the baseline.
For more information, see the Cisco Stealthwatch Learning Network License Configuration Guide.