Anomaly Detection
The Anomaly Detection process runs every polling interval to create and save, but not send, correlation alert notifications that are based on an alert's query.
This notification is run according to the schedule defined for each alert. See Configuring the alerter for more information about sending notifications.
The Anomaly Detection process uses the results of a correlation alert's query, which looks back over a specified period of time, and the correlation alert's threshold, to determine whether a condition is satisfied (an excessive number of failed logins, for example). See Correlation Alerts for more information.
In a Central Manager environment, the Anomaly Detection panel for each Guardium system can be used to turn off correlation alerts that are not appropriate for that particular Guardium system. Under Central Management, all correlation alerts are defined on the Central Manager, regardless of which Guardium system they were created or updated. These correlation alerts are the same for all Guardium system, and when activated, are activated on all Guardium system by default.
Automatically activate Anomaly Detection on startup
- Click Anomaly Detection. to open
- Mark the Active on Startup check box. Each time the Guardium system restarts, Anomaly Detection is activated automatically.
- Click Apply.
Set the frequency that Anomaly Detection checks for appliance issues
- Click Anomaly Detection. to open
- Enter the Polling Interval in minutes.
- Click Apply.
Enable or Disable Active Alerts
To disable an alert globally in a central manager environment, use the alert builder: navigate to Active check box in the Modify Alert panel.
and clear theTo enable or disable an alert on a single Guardium system in a central management environment, follow these steps:
- Log in to the UI of the Guardium system on which you want to disable one or more alerts.
- Click Anomaly Detection. to open
- To disable an alert, select it from the Active Alerts box, and click Disable.
- To enable an alert, select it from the Locally Disabled Alerts box, and click Enable.
Stop or Restart Anomaly Detection
- Click Anomaly Detection. to open
- Click Stop to stop Anomaly Detection, or click Restart to restart it.