Alerts concepts

Alerts make it easy to inform your teams when critical network, device, or application events occur, such as Software License Agreement (SLA) violations. You can configure alert settings to track specified criteria and generate alerts when configured conditions are met.

When an alert is generated, you can also direct the ExtraHop system to send an email message or an SNMP trap to designated people in your organization. You can also configure time ranges in which alerts are suppressed, such as weekends, to reduce unnecessary alerts.

Alerts are displayed on the Alert History page, which enables you to quickly assess the severity of the alert and view the source of the alert.

Alert types

You can configure threshold and trend alert settings in the ExtraHop Web UI. The ExtraHop system also generates alerts through anomaly detection, which is available with a subscription to the ExtraHop Addy™ service.

Addy Anomaly alerts
Anomalies are unexpected deviations from normal patterns in device or application behavior. Unlike threshold and trend alerts, which require you to configure alert conditions, anomalies are automatically detected by ExtraHop Addy. Addy is a cloud-based service that applies machine learning techniques to detect anomalies in your IT environment.

The focus of this topic is for threshold and trend alerts and how to configure them in the ExtraHop Web UI, but you can learn how to get started with Addy in the ExtraHop Addy User Guide.

Threshold alerts
Threshold-based alerts are generated when a monitored metric crosses a defined value in a time period. Threshold alerts are useful for monitoring occurrences such as error rates that surpass a comfortable percentage or SLA-violations.
Trend alerts
Trend-based alerts are generated when a monitored metric deviates from the normal trends observed by the system. Trend alerts are useful for monitoring metric trends such as unusually high round-trip times or storage servers experiencing abnormally low traffic, which might indicate a failed backup.

Trend alert settings are more complex than threshold alerts, and are useful for metrics where thresholds are difficult to define.

Alert conditions

An alert is generated when the alert conditions that you configure are met. The areas of consideration are different depending on the alert type. For anomaly alerts, the monitored protocols and the firing mode are considered. For threshold or trend alerts, the monitored metric, the firing mode, and the alert expression are considered.

Monitored protocols
Specifies which protocols are watched by the alert configuration. The ExtraHop system generates an alert only if an anomaly is detected from traffic that is over a specified protocol.
Monitored metric
Specifies the metric tracked by the alert configuration. The ExtraHop system watches for instances when the value of the metric crosses a defined threshold or diverges from the trend. Threshold alert settings can track a top-level or detail metric, but trend alert settings can only track a top-level metric.
Firing mode
Specifies how often an alert is generated. Specify the edge-triggered alert option to issue a single alert when conditions are met even if the condition is ongoing. Specify a level-triggered alert option to issue alerts at specified intervals for as long as the conditions are true.
Alert expression
Specifies when to issue an alert. A series of options, such as the time interval, the metric value, and the rate, are combined to determine the alert expression. For example, you can set options to issue a threshold alert when the value of the monitored metric falls below 100 per second in a 1 minute interval. Options available for an alert expression vary by alert type and other configuration settings.

The values for each area are combined to determine the alert conditions; as the system monitors the specified metric, if the alerts conditions are met, the system issues an alert based on the specified firing mode and the alert type.

For example, the following alert conditions result in a threshold alert when an HTTP 500 status code is observed more than 100 times during a ten minute period:

Monitored metric: extrahop.device.http_server:status_code?500

Firing mode: Edge-triggered

Alert expression: Value over 10 minutes > 100 per interval

Or, you can specify a per second, minute, or hour rate. For example, the following alert conditions result in a threshold alert when an HTTP 500 status code is observed more than 30 times per minute during a 10 minute period:

Monitored metric: extrahop.device.http_server:status_code?500

Firing mode: Edge-triggered

Alert expression: Value over 10 minutes > 30 per minute

The alert conditions for a trend alert are slightly different than for a threshold alert. The following settings result in a trend alert when a spike (75th percentile) in HTTP web server processing time that lasts longer than 10 minutes, and where the metric value of the processing time is 100% higher than the trend:

Monitored metric: extrahop.device.http_server:tprocess

Firing mode: Edge-triggered

Alert expression: 75th percentile over 10 minutes > 200 percent of trend

Alert History

After you have configured settings for an alert or two, you can check out the Alert History for any generated alerts.

Tip:An Alerts History widget is available on the Overview page of devices and applications, and displays a list of alerts that occurred on that source.

The Alert History contains an entry for each alert generated during the time interval and displays the following information:

A color-coded indicator of the user-defined severity level of the alert. The severity levels are Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug.
Alert name
The name of the alert specified in the alert configuration settings.

For anomaly alerts, the alert names includes the anomaly title. You can click the anomaly title to view details on the Anomalies page.

The name of the data source on which the alert conditions occurred. If the alert is associated with a single protocol, click the source name to go to that protocol page of the source. If the alert is associated with multiple protocols, click the source name to go to the Overview page of the source.
The time of the most recent occurrence of the alert conditions.
Alert type
Indicates a trend, threshold or anomaly alert.
Tip:To view additional threshold and trend alert details, such as the alert expression, click Alert History Legacy Layout in the lower left-hand pane, and then click on the alert name.

Alert notifications

You can add notifications to an alert configuration, which enable you to review alerts with high priority severity settings through email or SNMP. When the alert is generated, notifications are emailed to specified addresses or sent to an SNMP listener.

The alert notifications contain information such as the severity level of the alert, the source, the alert conditions, and when the alerts was generated. For more information, see Add a notification to an alert configuration.

Exclusion intervals

You can define a time in which alerts are suppressed through an exclusion interval. When an exclusion interval is assigned to an alert configuration, alerts will be suppressed from the Alert History, email notifications, and SNMP listener.

For example, an exclusion interval enables you to prevent recurring, duplicate alerts in the Alert History about high database activity during hours the database is backed up. For more information, see Create an exclusion interval for alerts.

Published 2021-05-10 17:12