Airlock Anomaly Shield has to be configured for individual applications.
Section – Application
- Application Name – assign a unique name for the entry.
- Tenant – add tenants to allow tenancy access. See also Multitenancy feature.
- Mappings – this field will display the assigned mapping. To assign a mapping to the application, select the application on the mapping detail page under Section – Anomaly Shield.
Section – Training Data Collection
In order to shield an application, Airlock Anomaly Shield machine learning models must be trained based on a sufficient amount of relevant training data. Collecting training data can be activated/deactivated for each Anomaly Shield Application in the Applications table on Tab – Applications.
- ON/OFF radio buttons:
- Training Data Collection can be enabled/disabled using the ON/OFF radio buttons.
Training data are associated with the Application Name. Collected training data will be lost after changing the Application Name.
- Training Data Collection Exclusions table:
- Use the + button to add a new selection field and select one or more Traffic Matchers entries.
When incoming traffic matches one or more of the referenced Traffic Matchers the entire traffic of the session is bypassed around Airlock Anomaly Shield and will not be collected. If traffic matches during an active session, the previously collected requests of the affected session are discarded.
Section – Anomaly Detection
- ON/OFF radio buttons:
- Anomaly Detection can be enabled/disabled using the ON/OFF radio buttons. Note that any anomaly detection initially requires trained machine learning models – see section Training Data Collection.
Log session anomaly details drop-down menu
- The following selection options are available:
- Never – To never write the ML information for the ML application.
- When session anomaly pattern changes – To only write the ML information on a change in the resulting pattern.
- When raw session anomaly values change – To only write the ML information on a change in the raw values.
- For every request – To always write the ML information for the ML application.
Anomaly Detection Exclusions table
- Use the + button to add a new selection field and select one or more Traffic Matchers entries.
When incoming traffic matches one or more of the referenced Traffic Matchers the ongoing traffic of the session is bypassed around Airlock Anomaly Shield. The previous traffic of the affected session is marked as excluded and the session-related machine learning data are discarded.
Section – Anomaly Response
The machine-learning algorithm has to be configured for detection and subsequent response handling. Optionally, response rule exceptions can be configured using Traffic Matchers.
- Available settings:
- Threat Handling – Can be set to either Execute actions or Log only. On a freshly trained system, choose Log only for a few days and make sure that the logs show no false positives. For log options, see Log session anomaly details in the Anomaly Detection section.
- Response Rules – to add a rule:
- Use the + button to add a new selection field and select one or more response rules.
- Response Rule Exceptions – to add an exception:
- Use the + button to add a new selection field and select one or more Traffic Matchers entries.
The first matching response rule will be executed. If a rule matches, consecutive rules are not processed and therefore it is advisable to reference rules with blocking actions first.
If an incoming request matches one or more of the referenced Traffic Matchers, the request is bypassed around Airlock Anomaly Shield to prevent false positives. Other requests of the same session are not affected by the exclusion i.e. are processed by Airlock Anomaly Shield.
Further information and links
- Internal links:
- Traffic Matchers can be configured on the Traffic Matchers detail page.
- Response Rules can be configured on the Rule detail page.
- Tab – Applications as the entry point to this detail page.
- For a tutorial with full example configuration, see Airlock Anomaly Shield configuration