Threat Analytics and Response Engine Configuration

the threat analytics and response engine comes pre configured with default settings, which include anomaly weights used for score calculations various anomalies found in the data, such as user session times, access protocol, executed commands, connected users, and devices, can contribute to the score calculation in distinct ways the threat analytics and response engine employs advanced machine learning algorithms to identify deviations from expected user and device behavior instead of relying on static rule based threat detection, this system dynamically detects anomalies by statistically analyzing user and device interactions within your network environment it's important to note that the calculated risk scores and the number of anomalies detected can vary based on system usage and network conditions to optimize its effectiveness, it is strongly recommended to continuously monitor the system's performance and make necessary adjustments as per your specific requirements the configuration parameters along with their descriptions for the threat analytics and response engine are listed below parameter key description value range user user weight parameters used in user based anomaly detection these parameters are used to calculate the risk score for anomalies regarding users host this parameter quantifies the statistical influence of the host information on the computation of the anomaly risk score it requires a value within the range of 0 to 1 to be specified when this value approaches 0, the significance of host information in determining the risk score diminishes conversely, as it approaches 1, the impact of host information on the risk score calculation intensifies 0 1 access protocol this parameter quantifies the statistical influence of the access protocol information on the computation of the anomaly risk score it is used to detect an anomaly, especially when there is a connection with a different protocol to devices with the same ip address it requires a value within the range of 0 to 1 to be specified when this value approaches 0, the significance of access protocol information in determining the risk score diminishes conversely, as it approaches 1, the impact of access protocol information on the risk score calculation intensifies 0 1 client ip this parameter quantifies the statistical influence of the client ip address information on the computation of the anomaly risk score a value in the range 0 to 1 is required to be specified as this value approaches 0, client ip address information becomes less important in determining the risk score conversely, as it approaches 1, the influence of client ip address information on the risk score calculation intensifies 0 1 date this parameter quantifies the statistical influence of the session start date information on the computation of the anomaly risk score a value in the range 0 to 1 is required to be specified as this value approaches 0, date information becomes less important in determining the risk score conversely, as it approaches 1, the influence of date information on the risk score calculation intensifies 0 1 command this parameter quantifies the statistical influence of the command information on the computation of the anomaly risk score a value in the range 0 to 1 is required to be specified as this value approaches 0, command information becomes less important in determining the risk score conversely, as it approaches 1, the influence of command information on the risk score calculation intensifies 0 1 parameter key description value range host host weight parameters used in device based anomaly detection these parameters are used to calculate the risk scores according to the connected devices user name this parameter quantifies the statistical influence of the linked username information on the computation of the anomaly risk score a value in the range 0 to 1 is required to be specified as this value approaches 0, username information becomes less important in determining the risk score conversely, as it approaches 1, the influence of username information on the risk score calculation intensifies 0 1 access protocol this parameter quantifies the statistical influence of the access protocol information on the computation of the anomaly risk score it is used to detect an anomaly, especially when there is a connection with a different protocol to devices with the same ip address it requires a value within the range of 0 to 1 to be specified when this value approaches 0, the significance of access protocol information in determining the risk score diminishes conversely, as it approaches 1, the impact of access protocol information on the risk score calculation intensifies 0 1 client ip this parameter quantifies the statistical influence of the client ip address information on the computation of the anomaly risk score a value in the range 0 to 1 is required to be specified as this value approaches 0, client ip address information becomes less important in determining the risk score conversely, as it approaches 1, the influence of client ip address information on the risk score calculation intensifies 0 1 date this parameter quantifies the statistical influence of the start date information on the computation of the anomaly risk score a value in the range 0 to 1 is required to be specified as this value approaches 0, start date information becomes less important in determining the risk score conversely, as it approaches 1, the influence of star date information on the risk score calculation intensifies 0 1 command this parameter quantifies the statistical influence of the commands run within the session on the computation of the anomaly risk score a value in the range 0 to 1 is required to be specified as this value approaches 0, command information becomes less important in determining the risk score conversely, as it approaches 1, the influence of command information on the risk score calculation intensifies 0 1 parameter key description default value max fit size this parameter specifies the amount of data used by the "threat analytics and response engine" for anomaly detection it determines how much historical data will be retained for anomaly detection purposes increasing the default value can enhance accuracy by incorporating more data into anomaly detection, but it may lead to performance issues it is recommended to keep the default value for optimal performance 100000 port port of threat analytics and response engine 5011 contamination "contamination" indicates the number of anomalies that can be statistically detected within the data specified by the "max fit size" parameter increasing this number enhances the sensitivity of anomaly detection, resulting in the identification of more anomalies conversely, decreasing it reduces sensitivity, leading to the detection of fewer anomalies 0 01 to change the weight of anomalies log in to threat analytics and response engine cli navigate to /pam/log anomaly/config/ folder open the config json file with a text editor and edit weights to fine tune anomaly detection set values between 0 and 1 {“ "weightofkeys" { “ "user" { “ "host" 0 5, “ "access protocol" 0 05, “ "client ip" 0 05, “ "date" 1, “ "command" 1 }, “ "host" { “ "user name" 0 5, “ "access proto”ol" 0 05, “ "client ip" 0 05, « "date" 1, « "command" 1 } }, "max fit size" 100000, "port" 5011, ‘’ contamination" 0 01 } save the config json file and restart the anomaly detection service systemctl restart pam loganomaly