Section – Application
- ●Application Name – here, a unique name of the application you want to secure has to be added.
- ●Tenant – add tenants to allow tenancy access.
- ●Mappings – this field is not directly accessible here. In order to enable your application settings for a mapping, you have to select the new application under Section – Anomaly Shield.
Section – Training Data Collection
The machine learning algorithm requires training data as a reference. For best anomaly detection results, non-relevant data should be excluded in the first place. To achieve this, settings for traffic exclusion can be configured here. All configured exclusions are AND linked.
- Traffic Exclusion
- ●Header Name – a regex to exclude certain header names. Example syntax: ^X-Header$
- ●Header Value – a regex to exclude certain header values. Example syntax: ^X-Value$
- ●Path – a regex to exclude certain paths. Example syntax: ^/path/to/match
- ●HTTP Method –a regex to exclude certain HTTP methods. Example syntax: ^(GET|POST)$
- ●Content Type – a regex to exclude a certain type of content. Example syntax: ^application/.*
- ●IP Exclusions – to select an address:
- ●Use the + button to select one or more IP addresses that should be excluded.
IP addresses are managed here: Submenu – IP Address Lists
Section – Anomaly Detection and Response
The machine-learning algorithm has to be configured for thread detection and subsequent response handling. Settings for response rule exceptions can be configured here as AND operations.
- ●Threat Handling – Can be set to either Execute actions or Log only.
- ●Log session anomaly details – possible values for logging can be:
- ●Never – To never write the ML information for the ML application.
- ●When session anomaly pattern changes – To only write the ML information on a change in the resulting pattern.
- ●When raw session anomaly values change – To only write the ML information on a change in the raw values.
- ●For every request – To always write the ML information for the ML application.
- ●Response Rules – to add a rule:
- ●Use the + button to select one or more response rules.
Response rules are managed here: Submenu - Anomaly Shield Triggers & Rules
Response rules can be restricted by Response Rule Exceptions. This is to prevent false positives.
- Subsection – Response Rule Exceptions
- ●Header Name – a regex to exclude certain header names. Example syntax: ^X-Header$
- ●Header Value – a regex to exclude certain header values. Example syntax:
- ●Path – a regex to exclude certain paths. Example syntax: ^X-Value$
- ●HTTP Method – a regex to exclude certain HTTP methods. Example syntax: ^(GET|POST)$
- ●Content Type – a regex to exclude a certain type of content. Example syntax: ^application/.*
- ●IP Allow List – to select an address list:
- ●Use the + button to select one or more IP addresses that should be on the allow list.
IP addresses are managed here: Submenu – IP Address Lists
Further information and links
- ●For an introduction including conceptual information, see: Introduction and conception of Airlock Anomaly Shield
- ●Configuration is described here: Airlock Anomaly Shield configuration
- ●For details about anomaly logging, see: Log messages and actions of Airlock Anomaly Shield