Active Threat Analytics setup
Enable and disable, and monitor, the active threat analytics processes, both across your entire system (recommended), or on individual managed units.
The Active threat analytics processes are the Threat finder and DAM outlier mining. Best practice is to enable all processes across all Guardium® systems. If required, you can enable processes selectively.
To open the Active Threat Analytics Setup, go to
. There are three sections, each with a modules status.Enable all processes
Prerequisite for Threat finder: Quick search is enabled.
Click Enable all processes to enable Threat finder and DAM outlier mining on all managed units in your environment. The system responds with one message on the Threat finder status, and one message on the DAM outlier mining status.
Enable threat finder
Prerequisite for Threat finder: Quick search is enabled.
Click Enable to enable Threat finder either on a central manager or stand-alone system. The system responds with a status message.
Enable DAM outlier mining
When viewed on an aggregator this window presents details of the specific aggregator’s collectors.
When viewed on a collector, only that collector is detailed.
To enable or disable outlier mining on all managed units in your environment: click Enable All / Disable All. To enable outlier on individual units: select them and click Enable / Disable from the Actions drop-down list. Best practice: Enable outlier mining for your entire environment. If you need to enable selectively, enable on aggregators in preference to collectors.
View the enable and disable history by clicking Outlier mining enable/disable history. Details include the collectors that send data to the aggregator, or if the colectors do not send data to the aggregator, and why not.
This table describes the DAM outlier mining section, and the recommended user actions.
Column | Description | Actions |
---|---|---|
Opens and closes the list of units that send data to this aggregator | Click to view the list of units | |
Unit | Name of unit | NA |
Unit type | One of Collector, Aggregator, Central Manager | NA |
Unit on/off | Indicates whether the unit is on or off. | NA |
Outlier Mining Enabled/Disabled |
|
NA |
Anomaly Last Found | The local date and time on the CM of the last outlier mining run that found one or more anomalies (outliers). | NA |
Last Analysis | The local date and time of the CM of the last outlier mining run (process end date and time). | NA |
Analysis Status |
|
If an error or warning occurred only once, wait for the process run again (next hour) and check the result. If an error repeats, contact technical support. For processes that did not end successfully, click Details to view more information. |
Learning Since | Date and time at which the outlier mining process was enabled. The process learns the resource's behavior since this time. | NA |
Quick Search on/off | Indicates whether Quick Search and Solr are enabled on the managed unit. When Quick Search is disabled, this machine's data is not included in the Investigation Dashboard. | See Enabling and disabling the Investigation Dashboard |
Last Info. Update | Last date and time the information in this row was updated. Data is usually updated in intervals of about 5 minutes. | NA |
Configured to Send Outlier Mining Data | Collectors only in multi-CM environment. Indicates whether a collector is configured to send data to an aggregator. (If not, either it is running outliers detection locally, or it's not configured to send data. ) | NA |
Outliers data last received | Collectors only in multi-CM environment. Indicates when an aggregator last received data from collectors. |
Predefined alert
There is a predefined alert Outlier Analysis Failure, that is triggered by failure of the outlier mining process. You need to configure it in the Alert Builder.