Airlock Anomaly Shield has to be configured for individual applications.
Section – Application
Fields/buttons | Description |
---|---|
Application Name | A unique name of the application you want to secure has to be added. |
Tenant | Add one or more tenants to allow tenancy access. |
Mappings | This field is not directly accessible here. In order to enable your application settings for a mapping, you have to select the new application under Section – Anomaly Shield. |
Section – Training Data Collection
The machine learning algorithm requires training data as a reference. Anomaly Shield works with session data but does not require authenticated sessions. Continue collecting session data until at least several thousand sessions have been saved.
Fields/buttons | Description |
---|---|
Client behavior | When enabled, a custom JavaScript is injected into the website to track a wide range of metrics regarding the client's use of input devices, i.e., keyboard, mouse, and touchscreen. The client behavior option aggregates to session metrics that are saved in collection mode in the Cold DB and can be evaluated in Anomaly Detection mode. Airlock Anomaly Shield receives an additional model score from the Client Behavior model, which can be used in the trigger configuration (see Section – Patterns). |
Traffic Exclusion | For best anomaly detection results, non-relevant data should be excluded in the first place. To achieve this, settings for traffic exclusion can be configured here. Note that configured exclusions are AND linked.
IP addresses are managed here: Submenu – IP Address Lists |
Recommendations for training data collection and model improvement:
For continuous Anomaly Shield model improvement, we strongly recommend enabling Data Collection on the Tab – Applications permanently and setting automatic retraining to Section – Training Task mode.
In full manual mode (not recommended), collect session data for a period of 5 weeks / 35 days minimum. It is important to train the machine learning model with the full range of different sessions and traffic behaviors that may occur in a typical calendar month.
See also tutorial article Part 2 – Training and model enforcement.
Section – Anomaly Detection
The machine-learning algorithm has to be configured for thread detection and subsequent response handling. Settings for response rule exceptions can be configured here as AND operations.
Fields/buttons | Description |
---|---|
Client behavior | When enabled, a custom JavaScript is injected into the website to track a wide range of metrics regarding the client's use of input devices, i.e., keyboard, mouse, and touchscreen. |
Log session anomaly details |
|
Traffic Exclusion |
Can be used to exclude certain traffic from being processed by Airlock Anomaly Shield. This is to prevent false positives. Note that configured exclusions are AND linked. IP addresses are managed here: Submenu – IP Address Lists |
Section – Anomaly Response
Fields/buttons | Description |
---|---|
Threat Handling | Can be set to either Execute actions or Log only. |
Response Rules |
Response rules are managed here: Trigger and Pattern detail page |
Traffic Exclusion | Can be used to exclude certain traffic from being processed by Airlock Anomaly Shield. This is to prevent false positives. Note that configured exclusions are AND linked.
IP addresses are managed here: Submenu – IP Address Lists |
Further information and links
- Internal links:
- For an introduction including conceptual information, see: Airlock Anomaly Shield
- Configuration is described here: Airlock Anomaly Shield configuration
- For details about anomaly logging, see: Log messages and actions of Airlock Anomaly Shield