Create a new trigger preset and pattern

The following settings can be configured under Submenu - Anomaly Shield Triggers & Rules.

In this part, triggers and rules for Anomaly Shield applications are being configured – each in a separate submenu of the UI. The submenus open up when adding or changing a trigger or rule.

Procedure-related prerequisites

  • See chapter-related prerequisites.

Instruction – Section Trigger

  • 1.
    Add a unique, self-explanatory name into the Name field. The trigger name will automatically be checked, i.e. names with blanks will be marked as invalid.
  • 2.
    Add a tenant to the Tenant field, if required/applicable.
  • 3.
    Set a minimal bit count a trigger threshold.
  • The trigger is now preconfigured. Add at least 1 pattern to the new trigger.

Example:

Section - Trigger

Instruction – Section Patterns

In order to perform any action, Airlock Anomaly Shield must be triggered to do so.

  • The Trigger configuration allows creating triggers and to configure a minimal trigger bit count.
  • In addition to the general Minimal Bit Count settings, Patterns can be added for refined triggering.

Example:

Section – Patterns

Overall, you can choose between 6 types of indicator bits:

Name of the indicator bit
Short description
Connection Metrics
The number of different front source ports and TLS session IDs per request.
GraphMetricsCluster
The session clustering is based on various metrics on the request path sequence, e.g. how often the same path is repeated or the following path is a child, etc.
IsolationForest
A generic anomaly detection algorithm applied to session metrics from various categories.
MultipleCountries
This indicates whether requests come from different countries, with extra penalties for non-neighboring countries.
StatusCodeMeta
A majority vote on three different status code indicators.
Timing Cluster
The clustering is based on the distribution of the request timing deltas.