Part 4 – Activate detection and response action (log-only mode)

After initial setup, we proceed with activating the anomaly Detection and Response in log-only mode to collect log data for some weeks. This allows us to analyze the collected log messages, search for false positives and to tune the Anomaly Shield detection if required without any Anomaly Shield response action.

  1. For the initial configuration, we use the following settings:
  2. Log session anomaly details are set to When session anomaly pattern changes. This configuration will not clutter the logs but show all vital information to analyze sessions that are tagged as anomalous.
  3. Initially, Threat Handling should initially be set to Log only. With Anomaly Shield activated, this configuration prevents any actions from being taken. The logging mode allows analyzing the behavior of triggers and rules and checking if there are no false positives.
  4. In the tutorial, we set Hard_Action as the first rule, followed by Soft_Action. This way, malicious sessions are terminated by the first rule as configured in the actions, while suspicious sessions will not be terminated but logged by the second rule.
    The processing order of rules is important because only the first matching rule will be applied.
  1. Go back to:
    Application Firewall >> Anomaly Shield >> tab Applications
  2. In the column Anomaly Shield Application, click on the application entry to open the application detail page.
  3. Disable Training Data Collection.
  4. In section Anomaly Detection:
    • Enable Anomaly Detection.
    • Choose the log level When session anomaly pattern changes.
    • Click the + button and add a Traffic Matcher entry. Select the previously configured detection exclusion matcher to exclude internal traffic from being computed.

    By excluding incoming traffic from being calculated by Airlock Anomaly Shield, you can significantly reduce the system load. Make sure to only exclude secure traffic!

  5. In section Anomaly Response, table Response Rules:
    • Select the Log only radio button to enable the Anomaly Shield threat logging.
    • Click the + button and add two Response Rules entries. Select the previously prepared rules.

    Rules are processed in top-down order, the first matching rule will be used! The entries can be sorted by mouse with drag and drop.

  6. In section Anomaly Response, table Response Rule Exceptions:
    • Click the + button and add a Response Rules. Select the previously prepared traffic matcher for response exception.
  7. A fully configured application may look like this:
  8. AAS application with Traffic Matcher (detail page)
  9. Activate the new configuration.
  10. The target back-end application traffic is now computed by Airlock Anomaly Shield and incidents are being logged.
  11. Wait until the anomaly protection has generated a sufficient number of log messages that can be used to verify that the anomaly detection is working as expected.
  12. When the logs show the expected anomaly detection rate, change the Threat Handling from log only to Excecute actions and activate the configuration.
  13. The Airlock Anomaly Shield application is now active and logs anomalous sessions of the back-end application(s). Wait a few weeks to gather enough logs before proceeding with Part 5 – Analyze and adjust threat handling settings.