In article Part 4 – Activate detection and response action (log-only mode), the threat handling settings have been set to log-only in order to collect log data. Search the logs on a regular basis and verify that the anomaly detection is working as expected, i.e. that no false positives can be found in the logs. Wait to change the threat handling settings until the resulting logs clearly show that anomaly detection is working as desired.
- The available actions and log-IDs are:
- Log incident –
WR-SG-NMLY-400
- Tag session as anomalous –
WR-SG-NMLY-401
andWR-SG-SUMMARY
- Terminate session –
WR-SG-NMLY-420
- Block IP –
WR-SG-NMLY-421
- For the two initially configured rules:
- Logs generated by the rule Malicious_Sessions, check if there are false positives, i.e. sessions are determined to be anomalous by Anomaly Shield, but analysis shows that they are valid user sessions.
- Logs generated by the rule Suspicious_Sessions should also be analyzed to determine if the rule reports false positives. If no false positives are reported, we recommend adding deterring actions in Suspicious_Sessions as well.
For in-depth information on how to analyze anomaly detection logs and how to tune the false-positive handling of Airlock Anomaly Shield, follow the links at the end of this article.