Best Practices
Maximise detection accuracy and minimise false positives with these deployment recommendations.
Alert Tuning
- Start with threat_score threshold 70 for high/critical routing — lower over 2 weeks as FP rate becomes clear
- Whitelist known security scanners and vulnerability assessment tools in ThreatSense to reduce noise by 40–60%
- Enable time-of-day weighting: alerts at 03:00 from service accounts score 15 points higher automatically
- Review FP weekly: each disposition feeds the model retraining pipeline — 90-day drift detection cycle
Model Calibration
- Run the initial baseline period for 14 days before activating SOC AutoPilot auto-resolve — models need to learn your environment
- For InsiderThreat AI: ingest 60 days of historical UBA data before go-live to build robust per-user baselines
- Review /api/v1/models/health weekly — a drift score above 0.15 triggers automatic retraining notification
- Keep model versions pinned in production; upgrade only after parallel-running in shadow mode for 48h