Follow

Number of entities (users/servers/etc...) appears lower after upgrade to 5.2.1

Note that this behaviour is no longer applicable as of Interset 5.4. The following changes do not need to be made.

Following an upgrade from Interset 5.0 (or older) to 5.2.1 you may notice that the count of the entities in the data appears to be lower. This is due to a change in functionality that will "hide" users that meet the following criteria:

- Their risk score has decayed to below 0.005
- They have had no activity since their risk score decayed to below 0.005

This allows us to automatically hide accounts that are completely inactive (but still resurface them if new activity is detected) as well as to hide accounts that only exist in the data due to failed logins (e.g. mistyped user names).

If you desire to change this, it is controlled by a tuning parameter named STOP DECAY THRESHOLD. This value is set to 0.005 by default, but can be changed with the following instructions:

1) Log in to your MASTER node that Analytics is installed on as the interset user.
2) Navigate to /opt/interset/analytics/bin
3) Run ./sql.sh --action console --dbServer <zookeeper_host>:2181:/hbase-unsecure
4) Run the following command in the shell that was spawned by sql.sh

UPSERT INTO PARAMETERS(TID,NAME,VAL) VALUES('0','STOP DECAY THRESHOLD',0.005)

Note that the example above assumes your tenant ID is 0, and also the default value of 0.005. This tuning parameter is unique on a per tenant basis, so if you have multiple tenants this must be set for each one individually.

5) Type !quit to exit the console

The changes will take affect on the next Analytics run.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk