The following settings can be configured under Submenu - Anomaly Shield Triggers & Rules.
In this part, triggers and rules for Anomaly Shield applications are being configured – each in a separate submenu of the UI. The submenus open up when adding or changing a trigger or rule.
Procedure-related prerequisites
- ●See chapter-related prerequisites.
Instruction – Section Trigger
- 1.Add a unique, self-explanatory name into the Name field. The trigger name will automatically be checked, i.e. names with blanks will be marked as invalid.
- 2.Add a tenant to the Tenant field, if required/applicable.
- 3.Set a minimal bit count a trigger threshold.
- The trigger is now preconfigured. Add at least 1 pattern to the new trigger.
Example:
Instruction – Section Patterns
In order to perform any action, Airlock Anomaly Shield must be triggered to do so.
- ●The Trigger configuration allows creating triggers and to configure a minimal trigger bit count.
- ●In addition to the general Minimal Bit Count settings, Patterns can be added for refined triggering.
Example:
Overall, you can choose between 6 types of indicator bits:
Name of the indicator bit | Short description |
Connection Metrics | The number of different front source ports and TLS session IDs per request. |
GraphMetricsCluster | The session clustering is based on various metrics on the request path sequence, e.g. how often the same path is repeated or the following path is a child, etc. |
IsolationForest | A generic anomaly detection algorithm applied to session metrics from various categories. |
MultipleCountries | This indicates whether requests come from different countries, with extra penalties for non-neighboring countries. |
StatusCodeMeta | A majority vote on three different status code indicators. |
Timing Cluster | The clustering is based on the distribution of the request timing deltas. |