Application detail page

Submenu - Anomaly Shield Application (full)

Airlock Anomaly Shield has to be configured for individual applications.

Section – Application

●
Application Name – here, a unique name of the application you want to secure has to be added.
●
Tenant – add tenants to allow tenancy access.
●
Mappings – this field is not directly accessible here. In order to enable your application settings for a mapping, you have to select the new application under Section – Anomaly Shield.

Section – Training Data Collection

The machine learning algorithm requires training data as a reference. For best anomaly detection results, non-relevant data should be excluded in the first place. To achieve this, settings for traffic exclusion can be configured here. All configured exclusions are AND linked.

Traffic Exclusion
●
Header Name – a regex to exclude certain header names. Example syntax: ^X-Header$
●
Header Value – a regex to exclude certain header values. Example syntax: ^X-Value$
●
Path – a regex to exclude certain paths. Example syntax: ^/path/to/match
●
HTTP Method –a regex to exclude certain HTTP methods. Example syntax: ^(GET|POST)$
●
Content Type – a regex to exclude a certain type of content. Example syntax: ^application/.*
●
IP Exclusions – to select an address:

●
Use the + button to select one or more IP addresses that should be excluded.

IP addresses are managed here: Submenu – IP Address Lists

Section – Anomaly Detection and Response

The machine-learning algorithm has to be configured for thread detection and subsequent response handling. Settings for response rule exceptions can be configured here as AND operations.

●
Threat Handling – Can be set to either Execute actions or Log only.
●
Log session anomaly details – possible values for logging can be:

●
Never – To never write the ML information for the ML application.
●
When session anomaly pattern changes – To only write the ML information on a change in the resulting pattern.
●
When raw session anomaly values change – To only write the ML information on a change in the raw values.
●
For every request – To always write the ML information for the ML application.

●
Response Rules – to add a rule:

●
Use the + button to select one or more response rules.

Response rules are managed here: Submenu - Anomaly Shield Triggers & Rules

Response rules can be restricted by Response Rule Exceptions. This is to prevent false positives.

Subsection – Response Rule Exceptions
●
Header Name – a regex to exclude certain header names. Example syntax: ^X-Header$
●
Header Value – a regex to exclude certain header values. Example syntax:
●
Path – a regex to exclude certain paths. Example syntax: ^X-Value$
●
HTTP Method – a regex to exclude certain HTTP methods. Example syntax: ^(GET|POST)$
●
Content Type – a regex to exclude a certain type of content. Example syntax: ^application/.*
●
IP Allow List – to select an address list:

●
Use the + button to select one or more IP addresses that should be on the allow list.

IP addresses are managed here: Submenu – IP Address Lists

Further information and links

●
For an introduction including conceptual information, see: Introduction and conception of Airlock Anomaly Shield
●
Configuration is described here: Airlock Anomaly Shield configuration
●
For details about anomaly logging, see: Log messages and actions of Airlock Anomaly Shield