Atomicorp

Hi all

I am new to Atomicorp products. I have the Gotroot rules subscription and I think the Rules and AUM is brilliant. It makes the whole process much easier and let's me concentrate on looking at the Alerts.

Is it possible to put AUM into Anomaly Scoring mode?

In case Atomicorp calls it something else, what I'm after is for the score of individual rules to be counted up at the end of the transaction. Ultimately I am interested in seeing any "Outbound" rules or Data Leakage rules firing. I've already made the small and easy change of putting AUM in to: SecRuleEngine DetectionOnly. Hopefully I haven't missed anything obvious. I've had a search on the forum and not seen any hits.

Thanks again for a great product. Regards

Jag

A polite bump. In the hope any one has some insight to offer.
Thanks

Not in that WAF component directly, in ASL we do make use of anomaly detection in the Threat Intelligence system, the locality sensitive malware upload engine, and event analysis module.

In a big picture sort of way, we rely on the WAF to do what its good at: make very good observations about a stateless event (in IDS speak, we call this an "atomic" event. Meaning one or single... total coincidence to the atomicorp name). Anomaly detection in the IDS world is built on the foundation of analyzing complex or comprehensive events/sources to make a determination. WAFs are good at coming up with really high quality atomic events for something else to do that complex analysis.

Thanks Scott - that makes sense