The Anomaly Detection process runs every polling interval
to create and save, but not send, correlation alert notifications
that are based on an alert's query.
This notification is run according to the schedule defined for
each alert. See Alerter Configuration for
more information about sending notifications.
The Anomaly Detection process uses the results of a correlation
alert's query, which looks back over a specified period of time, and
the correlation alert's threshold, to determine whether a condition
is satisfied (an excessive number of failed logins, for example).
Note: The Alerter component must be configured and started to send
a saved alert message to SYSLOG, email, or an SNMP trap.
Note: Anomaly Detection does not play a role in the production of
real-time alerts, which are produced by security policies.
Automatically activate Anomaly Detection on startup
- Click to open Anomaly Detection.
- Mark the Active on Startup check box. Each
time the Guardium system restarts, Anomaly Detection is activated
automatically.
- Click Apply.
Set the frequency that Anomaly Detection checks for
appliance issues
- Click to open Anomaly Detection.
- Enter the Polling Interval in minutes.
- Click Apply.
Enable or Disable Active Alerts
To enable
or disable an alert, follow these steps:
- Log in to the UI of the Guardium system on which you want to disable
one or more alerts.
- Click to open Anomaly Detection.
- To disable an alert, select it from the Active Alerts box, and
click Disable.
- To enable an alert, select it from the Locally Disabled Alerts
box, and click Enable.
Stop or Restart Anomaly Detection
- Click to open Anomaly Detection.
- Click Stop to stop Anomaly Detection, or
click Restart to restart it.