Enabling and disabling threat detection analytics
Understand the prerequisites and procedures for enabling threat detection analytics.
Threat detection analytics is enabled, by default, on Guardium versions 10.1.4 and higher.
To enable threat detection analytics:
- Ensure that you meet the minimum required memory and storage requirements for search (4 CPU and 24 GB RAM).
- Verify that your system has logged application data. Specifically, SQLI requires application data because the injection initiates from the application. If the system "trusts" the application and does not monitor it in Guardium, the injection cannot be identified.
- Outlier detection is not required for SQL injection threat detection but it is required to fully support malicious stored procedure detection. For more information, see Enabling and disabling outliers detection.
- Enable threat detection scanning on each collector or on multiple managed units from the central
manager by using the Guardium API command:
grdapi enable_advanced_threat_scanning
. See Threat detection analytics APIs for more information about parameters available for the enable_advanced_threat_scanning command. - Set up the audit process to send case reports to the relevant investigators. This is optional but recommended. See Activating the audit process workflow for threat analytics for more information.
Important: Threat detection relies on analysis and correlation of logged data. Thus, any
rules that filter out traffic before logging are not considered for threat detection. Examine your
use of IGNORE S-TAP SESSION rules carefully to determine the risk of not logging these sessions
versus optimizing the capacity of the collector.
To disable threat detection analytics, use the Guard API command: disable_advanced_threat_scanning, either on individual collectors, or from the central manager.
Prerequisites for malicious stored procedures analytics
- The analytics algorithm depends in part on sensitive objects groups. By default, the algorithm
uses members in the system-defined sensitive objects group (group ID 5). If you already specified
other sensitive object groups for outlier detection, threat detection uses the same groups. Even if
outlier detection is not enabled, you can set your own sensitive object groups by using the same
GuardAPI command:
set_outliers_detection_parameter parameter_name="sensitiveObjectGroupIds" parameter_value=<group ID>,<group ID>,...
- Policy rules must be installed to collect the necessary traffic for malicious stored procedure
analysis.Recommendation: Create the following rules in your policy in the suggested order. It is important to check the Continue to next rule checkbox for all these rules.
- Access rule: Log Full Details where Command group filter is PROCEDURE DDL.
- Access rule: Log Full Details where the Command group filter is EXECUTE Commands. If your database is Oracle, include the command BEGIN in the rule.
- Exception rule: Log Only where the error type filter is SQL_ERROR.