Posture Anomaly (PA) Detection allows organizations to identify and manage deviations from the expected system posture. By configuring unwanted entities such as ports, services, processes, startup applications, devices, and environment variables, administrators can effectively detect and whitelist exceptions. This ensures that anomalies are only triggered for unauthorized or non-standard configurations, providing accurate and actionable posture analysis.
This article explains how to configure Posture Anomaly Detection for Unwanted Entities in the Saner platform.
Steps to Configure
Navigate to PA Configure
From the console, go to PA → Configure
You will see categories such as Unwanted Ports, Services, Processes, Startup Applications, Devices, and Environment Variables.
- Choose the Appropriate Section
Use the vertical navigation menu on the left.
Each section corresponds to a specific type of unwanted entity:
PA-2022-1068 – Unwanted Ports
PA-2022-1069 – Unwanted Services
PA-2022-1070 – Unwanted Processes
PA-2022-1071 – Unwanted Startup Applications
PA-2022-1072 – Unwanted Devices
PA-2022-1073 – Unwanted Environment Variables
- Select or Add Entities to Whitelist
Check the boxes next to the entities (e.g., specific ports or processes) you want to whitelist.
If the entity is not listed, click Add New, type the name/value, and save.
- Save the Configuration
After selecting the required items, click the Save button on the top-right.
Saving triggers recalculation of PA detection with the updated whitelist.
Configuration Indicators
While configuring, you may notice the following icons:
Example Use Cases
- Unwanted Ports: Whitelist ports such as 443 (HTTPS) if required by your environment, while keeping unused ports like 135 or 139 flagged as anomalies.
Unwanted Services: Exclude approved services like
Application Layer Gateway Service
from detection while monitoring unapproved services.Unwanted Processes: Allow critical processes (e.g.,
explorer.exe
,powershell.exe
) while treating unknown executables as anomalies.Unwanted Startup Applications: Whitelist required startup items like
OneDriveSetup
while flagging unnecessary autostart entries.Unwanted Devices: Configure permitted devices (e.g., NODE-1) and detect unauthorized hardware.
Unwanted Environment Variables: Maintain only approved environment variables to detect suspicious or injected entries.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article