Prerequisites
- ●The BookShop application is configured.
- ●A sufficient amount of sessions/requests have been collected in the ColdDB and used to train the Anomaly Shield machine learning models.
- ●Airlock Anomaly Shield is analyzing sessions/requests.
Instructions
- 1.Set Log session anomaly details to For every request under Section – Anomaly Detection and Response.
- Each request generates a WR-SG-NMLY-200 log message. Check the Logviewer for log messages.
- 2.Use the following Kibana query to filter for our new log message:
- 3.Analyze the WR-SG-NMLY-200 sessions:
- ●Check if the listed session seems suspicious (anomalous).
- 4.Create enforcement rules with the anomaly pattern under Subsection – Rules.
In this example let's assume we want to block an anomalous IP pattern con:1,grm:1,tcs:1 and create notifications if only con:1 is set. - To achieve this, two rules are needed:
- ●First aStrictRule with Block IP action.
- ●Second, aSoftRule with Log incident action.
For production systems, it is better to lower log level settings to When session anomaly pattern changes under Section – Anomaly Detection and Response. That way the log does not get cluttered with messages that do not hold new information.
Further information and links
- ●More information about available log levels: Log messages and actions of Airlock Anomaly Shield
- ●