Application detail page

Airlock Anomaly Shield has to be configured for individual applications.

Section – Application

Fields/buttons	Description
Application Name	A unique name of the application you want to secure has to be added.
Tenant	Add one or more tenants to allow tenancy access.
Mappings	This field is not directly accessible here. In order to enable your application settings for a mapping, you have to select the new application under Section – Anomaly Shield.

Section – Training Data Collection

The machine learning algorithm requires training data as a reference. Anomaly Shield works with session data but does not require authenticated sessions. Continue collecting session data until at least several thousand sessions have been saved.

Fields/buttons	Description
Client behavior	When enabled, a custom JavaScript is injected into the website to track a wide range of metrics regarding the client's use of input devices, i.e., keyboard, mouse, and touchscreen. The client behavior option aggregates to session metrics that are saved in collection mode in the Cold DB and can be evaluated in Anomaly Detection mode. Airlock Anomaly Shield receives an additional model score from the Client Behavior model, which can be used in the trigger configuration (see Section – Patterns).
Traffic Exclusion	For best anomaly detection results, non-relevant data should be excluded in the first place. To achieve this, settings for traffic exclusion can be configured here. Note that configured exclusions are AND linked. Traffic Exclusion examples: Header Name – a regex to exclude certain header names. Example syntax: `^X-Header$` Header Value – a regex to exclude certain header values. Example syntax: `^X-Value$` Path – a regex to exclude certain paths. Example syntax: `^/path/to/match` HTTP Method –a regex to exclude certain HTTP methods. Example syntax: `^(GET\|POST)$` Content Type – a regex to exclude a certain type of content. Example syntax: `^application/.*` IP Exclusions – to select an address: Use the + button to select one or more IP addresses that should be excluded. IP addresses are managed here: Submenu – IP Address Lists

Fields/buttons

Description

Client behavior

When enabled, a custom JavaScript is injected into the website to track a wide range of metrics regarding the client's use of input devices, i.e., keyboard, mouse, and touchscreen.

The client behavior option aggregates to session metrics that are saved in collection mode in the Cold DB and can be evaluated in Anomaly Detection mode. Airlock Anomaly Shield receives an additional model score from the Client Behavior model, which can be used in the trigger configuration (see Section – Patterns).

Traffic Exclusion

For best anomaly detection results, non-relevant data should be excluded in the first place. To achieve this, settings for traffic exclusion can be configured here. Note that configured exclusions are AND linked.

Traffic Exclusion examples:
Header Name – a regex to exclude certain header names. Example syntax: ^X-Header$
Header Value – a regex to exclude certain header values. Example syntax: ^X-Value$
Path – a regex to exclude certain paths. Example syntax: ^/path/to/match
HTTP Method –a regex to exclude certain HTTP methods. Example syntax: ^(GET|POST)$
Content Type – a regex to exclude a certain type of content. Example syntax: ^application/.*
IP Exclusions – to select an address:

Use the + button to select one or more IP addresses that should be excluded.

IP addresses are managed here: Submenu – IP Address Lists

Recommendations for training data collection and model improvement:

For continuous Anomaly Shield model improvement, we strongly recommend enabling Data Collection on the Tab – Applications permanently and setting automatic retraining to Section – Training Task mode.
In full manual mode (not recommended), collect session data for a period of 5 weeks / 35 days minimum. It is important to train the machine learning model with the full range of different sessions and traffic behaviors that may occur in a typical calendar month.

See also tutorial article Part 2 – Training and model enforcement.

Section – Anomaly Detection

The machine-learning algorithm has to be configured for thread detection and subsequent response handling. Settings for response rule exceptions can be configured here as AND operations.

Fields/buttons	Description
Client behavior	When enabled, a custom JavaScript is injected into the website to track a wide range of metrics regarding the client's use of input devices, i.e., keyboard, mouse, and touchscreen.
Log session anomaly details	Possible values for logging can be: Never – To never write the ML information for the ML application. When session anomaly pattern changes – To only write the ML information on a change in the resulting pattern. When raw session anomaly values change – To only write the ML information on a change in the raw values. For every request – To always write the ML information for the ML application.
Traffic Exclusion	Traffic Exclusion examples: Can be used to exclude certain traffic from being processed by Airlock Anomaly Shield. This is to prevent false positives. Note that configured exclusions are AND linked. Header Name – a regex to exclude certain header names. Example syntax: `^X-Header$` Header Value – a regex to exclude certain header values. Example syntax: `^X-Value$` Path – a regex to exclude certain paths. Example syntax: `^/path/to/match` HTTP Method –a regex to exclude certain HTTP methods. Example syntax: `^(GET\|POST)$` Content Type – a regex to exclude a certain type of content. Example syntax: `^application/.*` IP Lists – to select an address: Use the + button to select one or more IP addresses that should be excluded. IP addresses are managed here: Submenu – IP Address Lists

Section – Anomaly Response

Fields/buttons	Description
Threat Handling	Can be set to either Execute actions or Log only.
Response Rules	To add a rule: Use the + button to select one or more response rules. Response rules are managed here: Trigger and Pattern detail page
Traffic Exclusion	Can be used to exclude certain traffic from being processed by Airlock Anomaly Shield. This is to prevent false positives. Note that configured exclusions are AND linked. Traffic Exclusion examples: Header Name – a regex to exclude certain header names. Example syntax: `^X-Header$` Header Value – a regex to exclude certain header values. Example syntax: `^X-Value$` Path – a regex to exclude certain paths. Example syntax: `^/path/to/match` HTTP Method –a regex to exclude certain HTTP methods. Example syntax: `^(GET\|POST)$` Content Type – a regex to exclude a certain type of content. Example syntax: `^application/.*` IP Lists – to select an address: Use the + button to select one or more IP addresses that should be excluded. IP addresses are managed here: Submenu – IP Address Lists

Further information and links

Internal links:
For an introduction including conceptual information, see: Airlock Anomaly Shield
Configuration is described here: Airlock Anomaly Shield configuration
For details about anomaly logging, see: Log messages and actions of Airlock Anomaly Shield