Subsection – Triggers
Use the + button to add one or more triggers. This will open a new view with the subsections Trigger and Patterns.
- Subsection – Trigger
- ●Name – here, a unique self-speaking name for this trigger has to be added.
- ●Tenant – add tenants to allow tenancy access.
- ●Minimal Bit Count – the threshold for the minimal number of anomaly indicators that have to show anomalous behavior to activate the trigger. It can be combined with Patterns.
The Minimal Bit Count is a threshold that is evaluated on top of the anomaly indicator patterns. When patterns have been configured, a trigger is only activated if any of the configured indicator patterns match and the bit count threshold is reached.
- Subsection – Patterns
- ●Use the + button to add one or more patterns.
- ●A pattern is formed by 6 different anomaly indicators. Each indicator can be configured by mouse click to be:
(grey dot) Disabled – this indicator is ignored | |
(green dot) Normal – indicator shows normal behavior | |
(red dot) Anomalous – indicator shows suspicious behavior |
Subsection – Rules
Starting from the initial submenu view Anomaly Shield Triggers & Rules, use the + button to add one or more rules. This will open a new view Anomaly Shield Rule with the section Rule.
- ●Name – here, a unique self-speaking name for this rule has to be added.
- ●Tenant – add tenants to allow tenancy access.
- ●Triggers – one or more triggers can be selected.
- ●Actions (when the rule is triggered):
- ●Log incident – enable/disable incident logging.
- ●Tag session as anomalous – enable/disable anomalous tag to log incident (WR-SG-NMLY-401).
- ●Terminate session – enable/disable session termination.
- ●Block IP – enable/disable IP blocking.
Further information and links
- ●For an introduction including conceptual information, see: Introduction and conception of Airlock Anomaly Shield
- ●Action settings are described here: Log messages and actions of Airlock Anomaly Shield
- ●Configuration is described here: Airlock Anomaly Shield configuration