Configuring Posture Anomaly Detection for Unwanted Entities

Modified on Tue, 30 Sep at 4:27 PM

Posture Anomaly (PA) Detection allows organizations to identify and manage deviations from the expected system posture. By configuring unwanted entities such as ports, services, processes, startup applications, devices, and environment variables, administrators can effectively detect and whitelist exceptions. This ensures that anomalies are only triggered for unauthorized or non-standard configurations, providing accurate and actionable posture analysis.

This article explains how to configure Posture Anomaly Detection for Unwanted Entities in the Saner platform.

Steps to Configure

  1. Navigate to PA Configure

    • From the console, go to PA → Configure

    • You will see categories such as Unwanted Ports, Services, Processes, Startup Applications, Devices, and Environment Variables.

  2. Choose the Appropriate Section
    • Use the vertical navigation menu on the left.

    • Each section corresponds to a specific type of unwanted entity:

      • PA-2022-1068 – Unwanted Ports

      • PA-2022-1069 – Unwanted Services

      • PA-2022-1070 – Unwanted Processes

      • PA-2022-1071 – Unwanted Startup Applications

      • PA-2022-1072 – Unwanted Devices

      • PA-2022-1073 – Unwanted Environment Variables

  3. Select or Add Entities to Whitelist
    • Check the boxes next to the entities (e.g., specific ports or processes) you want to whitelist.

    • If the entity is not listed, click Add New, type the name/value, and save.

  4. Save the Configuration
    • After selecting the required items, click the Save button on the top-right.

    • Saving triggers recalculation of PA detection with the updated whitelist.


Configuration Indicators

While configuring, you may notice the following icons:

Example Use Cases

  • Unwanted Ports: Whitelist ports such as 443 (HTTPS) if required by your environment, while keeping unused ports like 135 or 139 flagged as anomalies.
  • Unwanted Services: Exclude approved services like Application Layer Gateway Service from detection while monitoring unapproved services.

  • Unwanted Processes: Allow critical processes (e.g., explorer.exe, powershell.exe) while treating unknown executables as anomalies.

  • Unwanted Startup Applications: Whitelist required startup items like OneDriveSetup while flagging unnecessary autostart entries.

  • Unwanted Devices: Configure permitted devices (e.g., NODE-1) and detect unauthorized hardware.

  • Unwanted Environment Variables: Maintain only approved environment variables to detect suspicious or injected entries.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article