After you create a baseline, you can configure anomalies to use with the information gathered in the dashboard. This allows you to receive alerts when events occur outside of the baseline.
From Sentinel Main, click the desired dashboard under the dashboard heading, then click Configure anomaly detection.
Click Create anomaly definition.
The Anomaly detection definition details screen is displayed.
Use the following information to create the anomaly definition:
Anomaly name: Specify a unique name for the anomaly.
Anomaly description: Specify a description for the anomaly. The description is displayed in the anomaly event.
Comparison type: Select and define the anomaly type. The options are:
Threshold: When the number of a specific type of events exceeds a specified limit, Sentinel triggers an anomaly event. For example, if you set the threshold for login failures to five and if more than five failed logins occur, Sentinel triggers an anomaly event.
Moving Average: Moving averages are calculated over a specific period of time. All averages in that period are recalculated to remove noise and deviations which results in the moving average. Sentinel triggers an anomaly event if the moving average deviates from the normal averages. For example, in the holiday seasons, the internet traffic for e-commerce websites might spike which might result in abnormal average compared to the rest of the year. Sentinel triggers an anomaly event indicating the deviation in the moving average.
Ratio: Provides a comparison between the number of different types of events. If the ratio of a specific event type compared to the other type exceeds beyond a specified limit, Sentinel triggers an anomaly event. For example, if a significant number of events were reported for viruses as compared to network attacks.
Historical: Provides a comparison of the number of current events with the events received in the past. For Example, if the historical data reports the number of invalid logins per day in the range of 100-150 and if the current number of invalid logins is1000, Sentinel triggers an anomaly event.
Baseline: Provides a comparison to an established baseline. A baseline is usually the accepted or agreed upon values of event data. You must have a custom baseline to use this option. For more information, Creating Baselines. If there is a deviation from the baseline, Sentinel triggers an anomaly event. For example, if the event stream baseline is 1000 per second and if the event stream rate increases or decreases, Sentinel triggers an anomaly event.
As per your requirement, you can select the Comparison type and specify the anomaly definition.
When specifying the anomaly definition, specify the event category or the category and the subcategory combination delimited by two greater than signs. For example, Create a user session >> Disabled. Enter a text string to get auto-complete suggestions on relevant event categories. Leave it blank to include all categories.
Anomaly state: Define the state of the anomaly by selecting any one of the following:
Always active: You can use this option to keep the anomaly definition active always and trigger when the specified anomaly definition is met.
Only active for selected days and times: You can use this option to define the specific times for anomaly definition to trigger. When you select this option, it displays a default time grid. You can change the time grid and specify different time periods for the same anomaly definition by holding the Ctrl key.
NOTE:The timing that is displayed in the time grid is the local time.
Notification information: Select the information to define the notification information.
Severity: Select the severity of the notification. The options are 0 to 5.
After this anomaly definition fires: Specify the notification time gap to send e-mail or events after an anomaly triggers.
Optionally send notification via e-mail after the anomaly triggers: Fill in the following fields to send an e-mail when the anomaly triggers.
E-mail address: Specify the e-mail addresses of the people who should receive notification when the anomaly occurs. Separate multiple e-mail addresses with commas.
Subject: Specify a subject for the e-mail.
Message: Specify a message for the e-mail to explain the anomaly that occurred.
Click Save.
Continue with Deploying an Anomaly Definition.
After the anomaly definition is created, it must be deployed to be applied to the dashboard.
In the Sentinel Main interface, click Security Intelligence > Dashboard, then select the dashboard where you created the anomaly definition.
Click Configure anomaly detection.
The Anomaly detect screen is displayed.
Mouse over the anomaly definition you want to deploy, then click Deploy.
You receive a message that the anomaly definition was deployed.
To undeploy the anomaly definition:
In the Sentinel Main interface, click Security Intelligence > Dashboard, then select the dashboard where you created the anomaly definition.
Click Configure anomaly detection.
Mouse over the anomaly definition you want to undeploy, then click Undeploy.
Click Undeploy again to verify that you want to perform this action.
You receive a message that the anomaly definition was undeployed.
You can perform the following management tasks on the anomalies:
In the Sentinel Main interface, click Security Intelligence > Dashboard, then select the dashboard where you created the anomaly definition.
Click Configure anomaly detection.
Mouse over the anomaly you want to edit, then click Edit.
Make any desired changes to the anomaly definition, then click Save.
In the Sentinel Main interface, click Security Intelligence > Dashboard, then select the dashboard where you created the anomaly definition.
Click Configure anomaly detection.
Mouse over the anomaly you want to delete, then click Delete.
Click Delete again to verify that you want to perform this action.