The Anomaly Detection process executes correlation alerts according to the schedule defined for each alert. A correlation alert looks back over a specified period of time to determine if a condition has been satisfied (an excessive number of failed logins, for example) See Correlation Alerts for more information.
In a Central Manager environment, the Anomaly Detection panel is used to turn off correlation alerts that are not appropriate for a particular appliance. Under Central Management, all correlation alerts are defined on the Central Manager, and when activated, will be activated on all appliances by default.
Notes
If an alert creates an email message or SNMP trap, the Alerter component must be configured and started.
Anomaly Detection does not play a role in the production of real time alerts, which are produced by security policies.
Click Administration Console > Anomaly Detection to open the Anomaly Detection panel.
Mark the Active on Startup checkbox. Each time the appliance restarts, Anomaly Detection will be activated automatically.
Click Apply.
Click Administration Console > Anomaly Detection to open the Anomaly Detection panel.
Enter the Polling Interval, in minutes.
Click Apply.
To disable an alert globally in a Central Manager environment, it will be easier to clear the Active checkbox in the Modify Alert panel (see Correlation Alerts).
To enable or disable an alert on a single appliance in a Central Management environment, follow the procedure outlined below:
Log in to the administrator portal of the appliance on which you want to disable one or more alerts.
Click Administration Console > Anomaly Detection to open the Anomaly Detection panel.
To disable an alert, select it from the Active Alerts box, and click Disable.
To enable an alert, select it from the Locally Disabled Alerts box, and click Enable.
Click Administration Console > Anomaly Detection to open the Anomaly Detection panel.
Click Stop to stop Anomaly Detection, or click Restart to restart it.