Enabling and disabling outliers detection

Enable/disable outliers detection from any unit in a centralized environment, a multi-CM environment, or on a stand-alone collector.

Before you begin

  • Guardium strongly recommends that you enable outliers only on 64-bit aggregators with a minimum of 24 gigabytes of memory.

About this task

Restriction: Outliers detection and Data Level Security cannot be enabled concurrently.
Outliers detection is disabled by default. You can enable outliers detection by either of the following two ways:
  • In the Maintenance > Active Threat Analytics Setup page. See Active Threat Analytics setup.
  • Two API commands, enable_outliers_detection and disable_outliers_detection, are used for enabling and disabling outliers detection on any Guardium system, in any topology.

The outliers detection commands affect the Guardium systems differently, depending on their setup.

Single CM environment
Enable outliers detection on a CM to enable/disable outliers detection on all managed units, and on all units registered to the CM thereafter, by running the API command with no additional parameters. Alternatively, you can limit the enable/disable to a list of units. Similarly, disabling outliers detection on a CM disables it on all units that are registered with the CM.
Enable outliers detection on a collector that extracts data to an aggregator. Outliers detection is enabled on the aggregator (if not already enabled) and the collector starts sending data to the aggregator. When disabling on a collector, if this is the only collector sending data to the aggregator, then the collector stops sending data, and outliers detection is disabled on the aggregator.
Multi-CM environment
Enable/disable outliers detection on a CM to enable/disable outliers detection on all managed units, and on all units registered to the CM thereafter, by running the API command with no additional parameters. Alternatively, you can limit the enable/disable to a list of units. Similarly, disabling outliers detection on a CM disables it on a unit registered with the CM.
When enabling on a collector that extracts data to an aggregator that is not in the same CM environment as the collector, the collector starts sending data to the aggregator, and the API responds with the name of the aggregator that needs to be enabled for outliers detection.
When enabling on an aggregator, outliers detection is enabled and collectors in the same CM environment start sending data. If the aggregator receives data from collectors in a different CM environment, the API responds with a list of all collectors that need to be enabled for outliers detection.
To enable on individual aggregators or collectors, use the commands enable_outliers_detection_cross_cm_agg and enable_outliers_detection_cross_cm_collector.
Single Collector
Run the command on a collector that does not extract data to an aggregator to enable/disable it locally.

Procedure

  1. Log in to the Guardium system as a user or administrator with the CLI role.
  2. To enable the outliers detection on all the units under the CM and on all units that are registered to the CM thereafter, enter: grdapi enable_outliers_detection
    Optional parameters are:
    • outliers_detection_enabling: group ID of an existing group. Relevant and optional on a CM.
    • managed_units_hostnames: comma separated list of units. Relevant and optional on a CM.
    • FAM_DAM is an optional parameter that specifies the type of outliers. The default is DAM.

    The parameters schedule_interval and schedule_units are ignored.

  3. To disable the outliers detection function, enter the command, with or without the optional parameters:
    grdapi disable_outliers_detection

Results

When enabling, the system starts collecting outlier data. After the learning completes(14 days), outliers data is available in the Investigation Dashboard (Interpreting data outliers in the investigation dashboard and Interpreting file activity outliers in the investigation dashboard) and the Outlier Analytic List Report.