BookShop example – Session evaluation and enforcement

Prerequisites

●
The BookShop application is configured.
●
A sufficient amount of sessions/requests have been collected in the ColdDB and used to train the Anomaly Shield machine learning models.
●
Airlock Anomaly Shield is analyzing sessions/requests.

Instructions

1.
Set Log session anomaly details to For every request under Section – Anomaly Detection and Response.
Each request generates a WR-SG-NMLY-200 log message. Check the Logviewer for log messages.
2.
Use the following Kibana query to filter for our new log message:

log_id: "WR-SG-NMLY-200" AND NOT message: "bitcount: 0"

3.
Analyze the WR-SG-NMLY-200 sessions:

●
Check if the listed session seems suspicious (anomalous).

4.
Create enforcement rules with the anomaly pattern under Subsection – Rules.
In this example let's assume we want to block an anomalous IP pattern con:1,grm:1,tcs:1 and create notifications if only con:1 is set.

To achieve this, two rules are needed:
●
First aStrictRule with Block IP action.
●
Second, aSoftRule with Log incident action.

For production systems, it is better to lower log level settings to When session anomaly pattern changes under Section – Anomaly Detection and Response. That way the log does not get cluttered with messages that do not hold new information.

Further information and links

●
More information about available log levels: Log messages and actions of Airlock Anomaly Shield
●
Tuning the false-positive handling of Airlock Anomaly Shield