Part 4 – Activate detection and response action (log-only mode)

After initial setup, we activate the anomaly Detection and Response in log-only mode to collect log data for some weeks. This allows us to analyze the collected log messages, search for false positives, and tune the Anomaly Shield detection if required without any Anomaly Shield response action.

  1. For the initial configuration, we use the following settings:
  2. Log session anomaly details are set to When session anomaly pattern changes. This configuration will not clutter the logs but show all vital information to analyze sessions that are tagged as anomalous.
  3. Initially, Threat Handling should initially be set to Log only. With Anomaly Shield activated, this configuration prevents any actions from being taken. The logging mode allows analyzing the behavior of triggers and rules and checking if there are no false positives.
  4. In the tutorial, we set Hard_Action as the first rule, followed by Soft_Action. This way, malicious sessions are terminated by the first rule as configured in the actions, while suspicious sessions will not be terminated but logged by the second rule.
    The processing order of rules is important because only the first matching rule will be applied.
  1. Go back to:
    Application Firewall >> Anomaly Shield >> tab Applications
  2. In the column Anomaly Shield Application, click on the application entry to open the application detail page.
  3. Disable Training Data Collection.
  4. In section Anomaly Detection:
    • Enable Anomaly Detection.
    • Choose the log level When session anomaly pattern changes.
    • Consider configuring an optional Traffic Matcher to exclude certain traffic from anomaly detection. See Optional configuration of Traffic Matchers

    You can significantly reduce the system load by excluding incoming traffic from Airlock Anomaly Shield's calculation. Make sure only to exclude secure traffic!

  5. In section Anomaly Response, table Response Rules:
    • Select the Log only radio button to enable the Anomaly Shield threat logging.
    • Click the + button and add two Response Rules entries. Select the previously prepared rules.

    Rules are processed in top-down order. The first matching rule will be used! The entries can be sorted by drag and drop.

  6. In section Anomaly Response, table Response Rule Exceptions:
  7. A fully configured application may look like this:
  8. AAS application without Traffic Matcher (detail page)
  9. Activate the new configuration.
  10. Airlock Anomaly Shield now evaluates the target back-end application traffic. Incidents are being logged.
  11. Wait until the anomaly protection has generated a sufficient number of log messages that can be used to verify that the anomaly detection is working as expected.
  12. When the logs show the expected anomaly detection rate, change the Threat Handling from log only to Excecute actions and activate the configuration.
  13. The Airlock Anomaly Shield application is now active and logs anomalous sessions of the back-end application(s). Wait a few weeks to gather enough logs before proceeding with Part 5 – Analyze and adjust threat handling settings.