Part 5 – Analyze and adjust threat handling settings

In article Part 4 – Activate detection and response action (log-only mode), the threat handling settings have been set to log-only in order to collect log data. Search the logs on a regular basis and verify that the anomaly detection is working as expected, i.e. that no false positives can be found in the logs. Wait to change the threat handling settings until the resulting logs clearly show that anomaly detection is working as desired.

  • The available actions and log-IDs are:
  • Log incident – WR-SG-NMLY-400
  • Tag session as anomalous – WR-SG-NMLY-401 and WR-SG-SUMMARY
  • Terminate session – WR-SG-NMLY-420
  • Block IP – WR-SG-NMLY-421
  • For the two initially configured rules:
  • Logs generated by the rule Malicious_Sessions, check if there are false positives, i.e. sessions are determined to be anomalous by Anomaly Shield, but analysis shows that they are valid user sessions.
  • Logs generated by the rule Suspicious_Sessions should also be analyzed to determine if the rule reports false positives. If no false positives are reported, we recommend adding deterring actions in Suspicious_Sessions as well.

For in-depth information on how to analyze anomaly detection logs and how to tune the false-positive handling of Airlock Anomaly Shield, follow the links at the end of this article.

Log analysis procedure and threat handling settings

  1. Wait until the anomaly protection has generated a sufficient number of log messages that can be used to verify that the anomaly detection is working as expected.
  2. Check logs for false positives. Consider adding Anomaly Detection Exclusions/Response Rule Exceptions by configuring one or more Traffic Matchers if applicable.
  3. See also the supplementary article Reducing false-positives in case too many false positives are detected even with exclusions in place.

  4. When the logs show the expected anomaly detection rate, change the Threat Handling from log only to Excecute actions.
    Go to:
    Application Firewall >> Anomaly Shield >> tab Applications
  5. In the column Anomaly Shield Application, click on the application entry to open the application detail page.
  6. In section Anomaly Response, table Response Rules:
  7. When the logs show the expected anomaly detection rate, change the Threat Handling from Log only to Excecute actions.
  8. The full application configuration with Execute actions enabled may look like this:
  9. AAS Application detail page with Execute Actions
  10. Activate the new configuration.
  11. The Airlock Anomaly Shield application is now active with Execute actions enable, i.e. terminates malicious and logs suspicious sessions.