Configure Contextual Machine Learning for Best Accuracy
The Contextual Machine Learning reaches a verdict more accurately when it can differentiate between users or sources of HTTP requests. CloudGuard AppSec allows to configure how to identify the source of a web request, per web application or API.
Once CloudGuard AppSec knows how to identify the source, you can also configure trusted sources. Understanding the behavior of multiple trusted sources helps the contextual machine learning engine to learn faster what is considered a benign or malicious request for a specific web application or API.
Configuration of the below items can accelerate the learning process and allow reaching more accurate decision by the Machine Learning Engine.
They can also be found when browsing to Cloud->Assets and editing an asset under Source Identity and Trusted Sources.
The source of an HTTP web request can be identified in a number of ways. Use the below table to select the appropriate identifier for the sources of your web application.
- 1.Go to Cloud->Assets and select the Asset you want to configure.
- 2.Select a method to distinguish the sources according to the above table.
- 3.(Optional) Add the name of field that uniquely identifies the user.
- 1.Add specific IP addresses (incase of Source IP or X-Forward-For) or specific user identifiers (incase of Header/JWT/Cookie) of trusted sources to the list
- 2.Minimum Users To Trust - You may change the default from 3 to a lower (not recommended) number or higher. If we take the example of "3", the learning mechanism will not learn about "benign" behavior from the trusted sources until at least 3 of them created similar traffic patterns. This is to avoid one source becoming a "malicious source of truth". The number of trusted sources in the table has to be at least that minimum number, to allow the machine learning engine to have a good indication of "benign behavior".
- 3.Click Publish to publish the changes to the management.
- 4.Click Enforce to deploy the changes to the enforcement points.
Depending on amount and variance of traffic, after some time, the machine learning engine will reach a stage where it has observed a sufficient amount of web requests to understand how the application is used. The faster this stage is reached, the faster detection is accurate and it is recommended to move to prevent mode.