Threat Analytics

for the ml engine to receive logs from kron pam and calculate the risk score, the pam loganomaly service must be active use the following commands to start and verify its status \[root\@ml engine ml engine installer]# systemctl start pam loganomaly \[root\@ml engine ml engine installer]# systemctl status pam loganomaly navigate to /pam/log anomaly/config/ folder open the config json file with a text editor and edit weights to finetune anomaly detection these values determine how strongly each field influences the risk score (please refer to 3 7 0 reference guide for detailed information about the parameters) set values between 0 and 1 { "weightofkeys" { "user" { "host" 0 5, "access protocol" 0 05, "client ip" 0 05, "date" 1, "command" 1 }, "host" { "user name" 0 5, "access protocol" 0 05, "client ip" 0 05, "date" 1, "command" 1 } }, "max fit size" 100000, "port" 5010, "contamination" 0 01 } save the config json file and restart the anomaly detection service \[root\@ml engine ml engine installer]# systemctl restart pam loganomaly the port used for kron pam to communicate with the ml engine is defined in the configuration file make sure it aligns with your environment’s network settings the ml engine operates over https in kron pam, be sure to set the ml log anomaly api server url parameter as