Need a way to determine if a tree is a novelty tree or alarm tree. Only alarm local probabilities from novelty trees should be collected and used to determine a threshold.
Need to determine where in the flow the threshold will be computed and how often. This computation could happen right before the start of E4 after training data is ingested, or we could compute the threshold periodically throughout the engagement. I'd like to know how much training data we'll have before deciding this.
Need to determine where in the flow the threshold will be applied. (I think this should happen right before messages are sent to Splunk/ProcessSummarizer; where is that going to happen?)
Need to determine how the percentile is set. Should this be a config option for each host? Something we can change while the system is running?
What's missing: