Anomaly Detection

The Anomaly Detection process runs every polling interval to create and save, but not send, correlation alert notifications that are based on an alert's query.

This notification is run according to the schedule defined for each alert. See Alerter Configuration for more information about sending notifications.

The Anomaly Detection process uses the results of a correlation alert's query, which looks back over a specified period of time, and the correlation alert's threshold, to determine whether a condition is satisfied (an excessive number of failed logins, for example).

Note: The Alerter component must be configured and started to send a saved alert message to SYSLOG, email, or an SNMP trap.

Note: Anomaly Detection does not play a role in the production of real-time alerts, which are produced by security policies.

Automatically activate Anomaly Detection on startup

Click Protect > Database Intrusion Detection > Anomaly Detection to open Anomaly Detection.
Mark the Active on Startup check box. Each time the Guardium system restarts, Anomaly Detection is activated automatically.
Click Apply.

Set the frequency that Anomaly Detection checks for appliance issues

Click Protect > Database Intrusion Detection > Anomaly Detection to open Anomaly Detection.
Enter the Polling Interval in minutes.
Click Apply.

Enable or Disable Active Alerts

To enable or disable an alert, follow these steps:

Log in to the UI of the Guardium system on which you want to disable one or more alerts.
Click Protect > Database Intrusion Detection > Anomaly Detection to open Anomaly Detection.
To disable an alert, select it from the Active Alerts box, and click Disable.
To enable an alert, select it from the Locally Disabled Alerts box, and click Enable.

Stop or Restart Anomaly Detection

Click Protect > Database Intrusion Detection > Anomaly Detection to open Anomaly Detection.
Click Stop to stop Anomaly Detection, or click Restart to restart it.