Views:

The Operations Behavior Anomaly Detection embodies the CPSDR concept and has a deep understanding of what the expected behaviors for each device are from learning the behaviors of each agent-device first. Every agent continuously analyzes its host device to establish and maintain a unique baseline fingerprint. Then in real-time, unexpected behaviors and deviations from this fingerprint can be detected at the individual agent level and then secondarily at the centralized control level to inform wider instability issues and prompt preventative actions.

See the following procedures as the recommended practice when you start using the Operations Behavior Anomaly Detection:

  1. Toggle on the Learn mode of the Operations Behavior Anomaly Detection on the Policy page. Ensure that you toggle on the User Login and Application Behavior as well.
  2. Deploy all the required configuration, features, updates, or fixes, and run all the daily operation processes during the Learn mode.
    Note:

    If the Application Lockdown is enabled, ensure you turn on the maintennace mode when performing these deployments.

    1. Toggle on the User Login:

      1. Use the required user accounts to log into the agent-device.

      2. Ensure you also log in from different IP addresses or domains if it is required during your daily operation processes.

      Note:

      You can also manually add approved user accounts and relevant details used in the operations and processes into the Policy-based Approved Login Accounts.

    2. Toggle on the Application Behaviors:

      • Run the applications required for daily operation processes.

      • Download required applications or execute updates or fixes required for existing applications on the agent-device.

      Note:

      You can also manually add approved applications used in the operations and processes into the Policy-based Approved Applications.

  3. Switch to the Detect mode for a few days and check if any events will be triggered by the normal daily operations.
    Note:

    • You can check the Agent event logs to see if there's any anomalous operation or process detected. See Agent Events for more details.

    • See Strict Mode for more details on using the Strict mode.

Parent topic: Operations Behavior Anomaly Detection for StellarProtect (Legacy Mode)