You can define a scope, begin learning behavior, and enforce rules using AppDefense Manager.

Prerequisites

You have access to AppDefense Manager.

Procedure

  1. Log in to the AppDefense Manager.
    The AppDefense Manager Dashboard appears. You can see the overall coverage data, alarms, available scopes, and provisioned events. You can click VMware AppDefense to go back to Dashboard from any screen.
  2. Perform the following tasks:
    Workflow/Task Description
    Create a Scope.

    If you have integrated and provisioned an application with AppDefense such as vRealize Automation or Puppet Enterprise, you can view the created scope. You can manually create a scope as well.

    To create a Scope:

    1. To add a scope, in the left navigation pane, next to Scopes, click +.
    2. In Scope Name, enter some identifying information about the application, and then click Create.

    The scope is created and appears in the Dashboard under the Scope in discovery panel. By default, the created scope is in the Discovery Mode.

    You can filter scopes by name or by mode (Protected or Discovery).
    Create a Service. A Service is made up of one or more VMs that perform a function within an application. App Server, or a DB Cluster are examples of a service. All VMs within a service are expected to be homogeneous and have the exact same allowed behavior/rules. Therefore, all behavior and rules are defined at the Service level.

    To create a Service:

    1. Go to the created Scope, and click Add Service.
    2. Provide the service details. Enter Service Name.
    3. Select Service Type from the list. For example, App Server, or a Web Server.
    4. Enter description for the service, and click Next.
    5. Add members by selecting required virtual machine from the list. The selected VMs are VMs that you are protecting. Click Next.
    6. In the Allowed Behavior section, do not add any allowed behaviors right now. In the Discovery Mode, system learns the behavior.
    Learn the behavior. AppDefense now tracks the activity on the members in each service under the Behavior tab.

    To create or edit a behavior:

    1. From the left navigation pane, filter and click the created scope.
    2. Select the required service.
    3. Go to the Behavior tab.
    4. To view new learned behaviors, refresh the AppDefense Manager.
    5. To edit the behavior, click the required behavior and then click Edit.

    Leave a scope in the Discovery Mode for at least 7–14 days.

    Verify and protect. Once the allowed behaviors learning is satisfactory, you can move the scope and all services within the scope to the Protected Mode. The Verify and Protect button moves the scope to the Protected Mode.

    To move a scope to the Protected Mode:

    1. From the left navigation pane, filter and click the created scope.
    2. To add the selected scope to the Protected Mode, click the Verify and Protect button at the top of the page.
    3. A confirmation dialog box appears. Click Verify and Protect.

    This action marks the golden image of the application state and begins locking down the behavior. After moving to Protected Mode, rules are applied. You can view the applied rule under the Rules tab, and any violations generates an alarm.

    After the scopes are in the Protected Mode, continue tuning and refining the behaviors within each scope. To ensure that behaviors are properly verified, repeat the steps. Continue to monitor the behaviors and scopes in the Protected Mode.

    Configure Rules. You can configure which rules are enabled for a service and what must be the desired remediation action.

    By default, all rules are enabled and the remediation action is just to Alert. You can edit the rule.

    To edit the rule:

    1. From the left navigation pane, filter and click the created scope.
    2. Select the required service.
    3. Go to the Rules tab. Click the More options (More options. Three vertical dots) icon, and then click Edit service.
    4. Click the Rules tab.
    5. Select the required remediation action and required enforcement type as Automatic or Manual.
    6. Click Update.
    Detect and respond. Alarm for the scope appears at the top of the page. All alarms appear under Alarms in the left navigation pane. All alarms are refreshed when you navigate to any tab.

    To view and respond to an alarm:

    1. From the left navigation pane, click Alarms. All alarms are listed.
    2. Click the required alarm. Detailed view of the alarm appears.
    3. Select the required alarm ID, and perform the required action:
      1. Clear Alarms: The selected alarm is cleared from the list and the alarm is not displayed later .
      2. Allow Behavior: The selected alarm is added to the allowed behavior.
      3. Remediation Action: Select the remediation action such as, quarantine, suspend, snapshot, or power off the VM.
        Note: Quarantine remediation is available only when NSX Data Center is deployed and configured.
    4. Click Confirm.
  3. Continue to monitor alarms and modify behaviors and rules as required.