Enabling and disabling threat detection analytics

Understand the prerequisites and procedures for enabling threat detection analytics.

Threat detection analytics is enabled, by default, on Guardium versions 10.1.4 and higher.

To enable threat detection analytics:
  • Ensure that you meet the minimum required memory and storage requirements for search (4 CPU and 24 GB RAM).
  • Verify that your system has logged application data. Specifically, SQLI requires application data because the injection initiates from the application. If the system "trusts" the application and does not monitor it in Guardium, the injection cannot be identified.
  • Outlier detection is not required for SQL injection threat detection but it is required to fully support malicious stored procedure detection. For more information, see Enabling and disabling outliers detection.
  • Enable threat detection scanning on each collector or on multiple managed units from the central manager by using the Guardium API command: grdapi enable_advanced_threat_scanning. See Threat detection analytics APIs for more information about parameters available for the enable_advanced_threat_scanning command.
  • Set up the audit process to send case reports to the relevant investigators. This is optional but recommended. See Activating the audit process workflow for threat analytics for more information.
Important: Threat detection relies on analysis and correlation of logged data. Thus, any rules that filter out traffic before logging are not considered for threat detection. Examine your use of IGNORE S-TAP SESSION rules carefully to determine the risk of not logging these sessions versus optimizing the capacity of the collector.

To disable threat detection analytics, use the Guard API command: disable_advanced_threat_scanning, either on individual collectors, or from the central manager.

Prerequisites for malicious stored procedures analytics

  • The analytics algorithm depends in part on sensitive objects groups. By default, the algorithm uses members in the system-defined sensitive objects group (group ID 5). If you already specified other sensitive object groups for outlier detection, threat detection uses the same groups. Even if outlier detection is not enabled, you can set your own sensitive object groups by using the same GuardAPI command:
    set_outliers_detection_parameter parameter_name="sensitiveObjectGroupIds" parameter_value=<group ID>,<group ID>,...
  • Policy rules must be installed to collect the necessary traffic for malicious stored procedure analysis.
    Recommendation: Create the following rules in your policy in the suggested order. It is important to check the Continue to next rule checkbox for all these rules.
    1. Access rule: Log Full Details where Command group filter is PROCEDURE DDL.
    2. Access rule: Log Full Details where the Command group filter is EXECUTE Commands. If your database is Oracle, include the command BEGIN in the rule.
    3. Exception rule: Log Only where the error type filter is SQL_ERROR.