Session evaluation and enforcement
BookShop example – Session evaluation and enforcement

Prerequisites

  • The BookShop application is configured.
  • A sufficient amount of sessions/requests have been collected in the ColdDB and used to train the Anomaly Shield machine learning models.
  • Airlock Anomaly Shield is analyzing sessions/requests.

Instructions

  • 1.
    Set Log session anomaly details to For every request under Section – Anomaly Detection and Response.
  • Each request generates a WR-SG-NMLY-200 log message. Check the Logviewer for log messages.
  • 2.
    Use the following Kibana query to filter for our new log message:
  • copy
    log_id: "WR-SG-NMLY-200" AND NOT message: "bitcount: 0" 
  • 3.
    Analyze the WR-SG-NMLY-200 sessions:
    • Check if the listed session seems suspicious (anomalous).
  • 4.
    Create enforcement rules with the anomaly pattern under Subsection – Rules.
    In this example let's assume we want to block an anomalous IP pattern con:1,grm:1,tcs:1 and create notifications if only con:1 is set.
    • To achieve this, two rules are needed:
    • First aStrictRule with Block IP action.
    • Second, aSoftRule with Log incident action.

For production systems, it is better to lower log level settings to When session anomaly pattern changes under Section – Anomaly Detection and Response. That way the log does not get cluttered with messages that do not hold new information.

Further information and links