Question & Answer
Question
The Outlier Detection algorithm uses real data that is being collected normally and audited by Policy rules - It geneates an anomalies score based on past data and identifies specific dasy which have irregular activity. It studies data continously over a preset training period and builds models against previous activities or similar group users. These models show what is normal and what is not.
Answer
Before you set up Outlier Detection, there are 2 important topics as described in the Use Guardium outlier detection to detect hidden threats DeveloperWorks article you should read:
- How outlier detection works
- Training phase
Below shows the result of outlier analysis displayed in Quick Search UI taken from the DeveloperWorks article. It shows user activity and two colored indicators, High Outlier and Medum Outlier. The Red indicators points you at what time on a specific day highly anomalous events occurred and requires immediate investigation. The Yellow indicators show you less critical anomalies than the red indicator but still warrant attention. The anomaly score is a calculated aggregate value based on past data.
To set up a Guardium Appliance for Outliers Detection, follow the below steps:
Step 1: Prerequisites for Outlier
- 1. Recommend v9.5 GPU530 for using outliers
2. Quick search is enabled by default on 64bit appliance with system requirements meeting the minimum listed below:
System Requirements for IBM InfoSphere Guardium v9.5
3. Quick search opens ports 8983 and 9983 on both central managers and collectors. These ports are opened when quick search is enabled and closed when it is disabled. Ensure the ports are not blocked by any firewall and they allow bidirectional communicated between central managers and collectors.
** Note:. If data is not being audited already by a Guardium security policy, it is not available for Guardium to analyze.
Step 2: Enable Quick Search
- In CLI, run below grdapi command:
grdapi enable_quick_search schedule_interval=2 schedule_units=MINUTE
By defaults, violation is not included in the search. To include, add " includeViolations=true " at the end of above command.
To know if quick search is enabled, in cli run: grdapi get_quick_search_info
To disable quick search, in cli run: grdapi disable_quick_search
Step 3: Enable Outliers Detection
- Log in to the collector as a user or administrator with the CLI role. Use the following GuardAPI command to enable the Outliers Detection function.
grdapi enable_outliers_detection schedule_interval=1 schedule_units=HOUR
Outliers will start extracting into the data mart on the current date every hour.
Once outliers is enabled, it will automatically accumulate data over the next 30 days. This is called the training period. When this training period is over, the analysis continues to run and adjust the statistical model for what is normal and what is irregular (known as outliers).
To know the factory and default settings, you may run grdapi get_outliers_detection_info. It returns factory and current settings and a list of parameters. In cli run:
- grdapi get_outliers_detection_info
The last training process start time: 20151115050606 end time: 20151115050607 status: Done
...
Current
-----------------
alertRarityThreshold=0.98
alertThreshold=0.99
alertVolumeThreshold=0.9998
cleanupKeepDays=90
intervalThreshold=0.999
minNumOfIntervalsForAlerts=100
minimalRequiredTrainPeriod=1
privUsersGroupIds=1
sensitiveObjectGroupIds=5
ok
To set minimal training period, in cli run:
- grdapi set_outliers_detection_parameter parameter_name=minimalRequiredTrainPeriod parameter_value=<N in days>
To disable outliers, in cli run:
- grdapi disable_outliers_detection
Summary of quick search and outliers command available::
- grdapi disable_quick_search
grdapi enable_quick_search
grdapi get_quick_search_info
grdapi refresh_quick_search_groups
grdapi disable_outliers_detection
grdapi enable_outliers_detection
grdapi get_outliers_detection_info
grdapi set_outliers_detection_parameter
Related Topics:
- Enable Quick Search and Port Requirements:
All about Outliers Detection:
- enable/disable outliers detection
- interpreting outliers
- group users and objects
- exclude events
CLI commands related to Outliers:
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21971432