Quick start for outlier detection

Learn how to enable outliers, and start receiving alerts in a few simple steps.

About this task

Outliers detection can run on any number of aggregators. However, it's recommended to start with one aggregator, refine the configuration, and then expand to additional aggregators. Before you start, decide on the available resources to investigate outliers. Then limit the number of outliers reported daily to an amount you can investigate. The Guardium algorithm provides you with the most important events to investigate, not just the "top 10," for example.

Outlier detection is a separate process from security policy rules and enforcement, so you cannot set up real-time alerts on outliers. However, because outlier data is included in reports, you can create a correlation alert. A correlation alert is triggered by a query that looks back over a specified time period to determine whether the alert threshold has been met.

Procedure

  1. Enable outliers. See Enabling and disabling outliers detection, or Active Threat Analytics setup.
  2. Optionally fine tune the outlier definition. See Grouping users and objects for outliers detection and Excluding events from outliers detection.
  3. Create a query.
    1. Navigate to Reports > Report Configuration Tools > Query-Report Builder.
    2. Set Domain=analytic, Query name=Analytic Outliers List or Analytic Outliers Summary by Date. All other settings can be left at their defaults.
    3. Click Create Report.
  4. Create an Audit process.
    1. Navigate to Comply > Tools and Views > Audit Process Builder.
    2. Name the process and add the task (the report you just created).
    3. Define receivers. Decide what kind of notifications you want. You can set up alerts, add to the to-do list, and assign users to review and justify the findings.
    4. Schedule the process as daily, and Save.
  5. For easy viewing, add the outliers reports to My Dashboard.

Results

When the learning period is complete, there should be data in the reports, and alerts are sent.