Enabling threat detection analytics

This topic describes the prerequisites and procedures for enabling threat detection analytics.

To enable threat detection analytics:

Ensure you meet the minimum required memory and storage requirements for search (4 CPU and 24 GB RAM).
Verify your system has logged application data. Specifically, SQLI requires application data because the injection initiates from the application. If the system "trusts" the application and does not monitor it in Guardium, the injection cannot be identified.
Outlier detection is not required for SQL injection threat detection but it is required to fully support suspicious stored procedure detection. For more information, see Enabling and disabling outliers detection locally on a Collector.
When upgrading to Guardium V10.1 through the upgrade patch process, you must enable threat detection scanning on each collector by using the following Guardium API command: grdapi enable_advanced_threat_scanning. See GrdAPI Threat Detection Analytics Functions for more information about parameters available for the enable_advanced_threat_scanning command.
Set up the audit process to send case reports to the relevant investigators. This is optional but recommended. See Activating the audit process workflow for threat analytics for more information.

Important: Threat detection relies on analysis and correlation of logged data. Thus any rules that filter out traffic before logging are not considered for threat detection. Examine your use of IGNORE S-TAP SESSION rules carefully to determine the risk of not logging these sessions versus optimizing the capacity of the collector.

Prerequisites for malicious stored procedures analytics

The analytics algorithm depends in part on sensitive objects groups. By default, the algorithm uses members in the system-defined sensitive objects group (group ID 5). If you have already specified additional sensitive object groups for outlier detection, threat detection will use the same groups. Even if outlier detection is not enabled, you can set your own sensitive object groups using the same GuardAPI command: set_outliers_detection_parameter parameter_name="sensitiveObjectGroupIds" parameter_value=<group ID>,<group ID>,...
Policy rules must be installed to collect the necessary traffic for malicious stored procedure analysis.
Recommendation: Create the following rules in your policy in the suggested order. It is important to check the Continue to next rule checkbox for all these rules.
1. Access rule: Log Full Details where Command group filter is PROCEDURE DDL.
2. Access rule: Log Full Details where Command group filter is EXECUTE Commands. If your database is Oracle, include the command BEGIN in the rule.
3. Exception rule: Log Only where error type filter is SQL_ERROR.