Enabling and disabling outliers detection
Enable/disable outliers detection from any unit in a centralized environment, a multi-CM environment, or on a stand-alone collector.
Before you begin
- Guardium strongly recommends that you enable outliers only on 64-bit aggregators with a minimum of 24 gigabytes of memory.
About this task
Restriction: Outliers detection and Data Level Security cannot be enabled
concurrently.
Outliers detection is disabled by default. You can enable outliers detection by
either of the following two ways:
- In the Active Threat Analytics setup. page. See
- Two API commands, enable_outliers_detection and disable_outliers_detection, are used for enabling and disabling outliers detection on any Guardium system, in any topology.
The outliers detection commands affect the Guardium systems differently, depending on their setup.
- Single CM environment
- Enable outliers detection on a CM to enable/disable outliers detection on all managed units, and on all units registered to the CM thereafter, by running the API command with no additional parameters. Alternatively, you can limit the enable/disable to a list of units. Similarly, disabling outliers detection on a CM disables it on all units that are registered with the CM.
- Multi-CM environment
- Enable/disable outliers detection on a CM to enable/disable outliers detection on all managed units, and on all units registered to the CM thereafter, by running the API command with no additional parameters. Alternatively, you can limit the enable/disable to a list of units. Similarly, disabling outliers detection on a CM disables it on a unit registered with the CM.
- Single Collector
- Run the command on a collector that does not extract data to an aggregator to enable/disable it locally.
Procedure
Results
When enabling, the system starts collecting outlier data. After the learning completes(14 days), outliers data is available in the Investigation Dashboard (Interpreting data outliers in the investigation dashboard and Interpreting file activity outliers in the investigation dashboard) and the Outlier Analytic List Report.