Anomaly Detection

The Anomaly Detection process runs every polling interval to create and save, but not send, correlation alert notifications that are based on an alert's query.

This notification is run according to the schedule defined for each alert. See Configuring the alerter for more information about sending notifications.

The Anomaly Detection process uses the results of a correlation alert's query, which looks back over a specified period of time, and the correlation alert's threshold, to determine whether a condition is satisfied (an excessive number of failed logins, for example). See Correlation Alerts for more information.

In a Central Manager environment, the Anomaly Detection panel for each Guardium system can be used to turn off correlation alerts that are not appropriate for that particular Guardium system. Under Central Management, all correlation alerts are defined on the Central Manager, regardless of which Guardium system they were created or updated. These correlation alerts are the same for all Guardium system, and when activated, are activated on all Guardium system by default.

Note: The Alerter component must be configured and started to send a saved alert message to SYSLOG, email, or an SNMP trap.
Note: Anomaly Detection does not play a role in the production of real-time alerts, which are produced by security policies.

Automatically activate Anomaly Detection on startup

  1. Click Setup > Tools and Views > Anomaly Detection to open Anomaly Detection.
  2. Mark the Active on Startup check box. Each time the Guardium system restarts, Anomaly Detection is activated automatically.
  3. Click Apply.

Set the frequency that Anomaly Detection checks for appliance issues

  1. Click Setup > Tools and Views > Anomaly Detection to open Anomaly Detection.
  2. Enter the Polling Interval in minutes.
  3. Click Apply.

Enable or Disable Active Alerts

To disable an alert globally in a central manager environment, use the alert builder: navigate to Protect > Database Intrusion Detection > Alert Builder and clear the Active check box in the Modify Alert panel.

To enable or disable an alert on a single Guardium system in a central management environment, follow these steps:

  1. Log in to the UI of the Guardium system on which you want to disable one or more alerts.
  2. Click Setup > Tools and Views > Anomaly Detection to open Anomaly Detection.
  3. To disable an alert, select it from the Active Alerts box, and click Disable.
  4. To enable an alert, select it from the Locally Disabled Alerts box, and click Enable.

Stop or Restart Anomaly Detection

  1. Click Setup > Tools and Views > Anomaly Detection to open Anomaly Detection.
  2. Click Stop to stop Anomaly Detection, or click Restart to restart it.