Quick start for outlier detection
Learn how to enable outliers, and start receiving alerts in a few simple steps.
About this task
Outliers detection can run on any number of aggregators. However, it's recommended to start with one aggregator, refine the configuration, and then expand to additional aggregators. Before you start, decide on the available resources to investigate outliers. Then limit the number of outliers reported daily to an amount you can investigate. The Guardium algorithm provides you with the most important events to investigate, not just the "top 10," for example.
Outlier detection is a separate process from security policy rules and enforcement, so you cannot set up real-time alerts on outliers. However, because outlier data is included in reports, you can create a correlation alert. A correlation alert is triggered by a query that looks back over a specified time period to determine whether the alert threshold has been met.