Trigger and Pattern detail page

Section – Trigger

Add an AAS Trigger
  • Name – assign a unique name for the entry.
  • Tenant – add tenants to allow tenancy access. See also Multitenancy feature.
  • Minimal Bit Count – the threshold for the minimal number of anomaly indicators that have to show anomalous behavior to activate the trigger. It can be combined with Patterns.
  • The Minimal Bit Count setting is a threshold that is evaluated on top of the anomaly indicator patterns. When patterns have been configured, a trigger is only activated if any of the configured indicator patterns match and the bit count threshold is reached.

Section – Patterns

The following screenshot shows a random example of a pattern configuration:

Add AAS Patterns
  • Use the + button to add one or more patterns.
  • A pattern is formed by 7 different anomaly indicators. Each indicator can be selected to be:
  • Icon - Gray dot - OFF

    Grey dot – the pattern will match either normal or anomalous behavior of this indicator.

    Icon - Red dot

    Red dot – the pattern will match if this indicator shows anomalous behavior.

    Icon - Green dot - ON

    Green dot – the pattern will match if this indicator shows normal behavior.

A best practice configuration example is described in the article trigger, pattern and rule configuration of our Airlock Anomaly Shield configuration guide.

Airlock Anomaly Shield currently implements seven indicators in total:

Name of the indicator bit

Short description

Connection Metrics

The number of different front source ports and TLS session IDs per request.

GraphMetricsCluster

The session clustering is based on various metrics on the request path sequence, e.g., how often the same path is repeated or the following path is a child, etc.

IsolationForest

A generic anomaly detection algorithm is applied to session metrics from various categories.

MultipleCountries

This indicates whether requests come from different countries, with extra penalties for non-neighboring countries.

StatusCodeMeta

A majority vote on three different status code indicators.

Timing Cluster

The clustering is based on the distribution of the request timing deltas.

Query Parameters

The query parameter model (QPM) can detect parameter probing, tampering and polluting by monitoring:

  • HTTP status codes.
  • Frequency of parameter use.
  • Rarely used parameter names and values.