Alerts concepts

Alerts make it easy to inform your teams when critical network, device, or application events occur, such as Software License Agreement (SLA) violations. You can configure alert settings to track specified criteria and generate alerts when configured conditions are met.

When an alert is generated, you can also direct the ExtraHop system to send an email message or an SNMP trap to designated people in your organization. You can also configure time ranges in which alerts are suppressed, such as weekends, to reduce unnecessary alerts.

Alerts are displayed on the Alert History page, which enables you to quickly assess the severity of the alert and view the source of the alert.

Alert types

You can configure threshold and trend alert settings in the ExtraHop Web UI. The ExtraHop system also generates alerts through anomaly detection, which is available with a subscription to the ExtraHop Addy™ service.

Addy Anomaly alerts
Anomalies are unexpected deviations from normal patterns in device or application behavior. Anomalies are automatically detected by ExtraHop Addy, a cloud-based service that applies machine learning techniques to detect anomalies in your IT environment. Learn how to get started with Addy in the ExtraHop Addy User Guide.

Addy anomaly alerts are useful for filtering anomalies by protocol or source so that you can receive alerts pertaining only to a subset of anomalies you want to view.

Threshold alerts
Threshold-based alerts are generated when a monitored metric crosses a defined value in a time period. You can specify a top-level or a detail metric as the threshold.

Threshold alerts are useful for monitoring occurrences such as error rates that surpass a comfortable percentage or SLA-violations.

Trend alerts
Trend-based alerts are generated when a monitored metric deviates from the normal trends observed by the system. Trend alerts are useful for monitoring metric trends such as unusually high round-trip times or storage servers experiencing abnormally low traffic, which might indicate a failed backup.

Trend alert settings are more complex than threshold alerts, and are useful for metrics where thresholds are difficult to define.

Alert conditions

An alert is generated when the alert conditions that you configure are met. The areas of consideration are different depending on the alert type. For anomaly alerts, the monitored protocols and the firing mode are considered. For threshold or trend alerts, the monitored metric, the firing mode, and the alert expression are considered.

Monitored protocols
Specifies which protocols are watched by the alert configuration. The ExtraHop system generates an alert only if an anomaly is detected from traffic that is over a specified protocol.
Monitored metric
Specifies the metric tracked by the alert configuration. The ExtraHop system watches for instances when the value of the metric crosses a defined threshold or diverges from the trend. Threshold alert settings can track a top-level or detail metric, but trend alert settings can only track a top-level metric.
Firing mode
Specifies how often an alert is generated. Specify the edge-triggered alert option to issue a single alert when conditions are met even if the condition is ongoing. Specify a level-triggered alert option to issue alerts at specified intervals for as long as the conditions are true.
Alert expression
Specifies when to issue an alert. A series of options, such as the time interval, the metric value, and the rate, are combined to determine the alert expression. For example, you can set options to issue a threshold alert when the value of the monitored metric falls below 100 per second in a 1 minute interval. Options available for an alert expression vary by alert type and other configuration settings.

The values for each area are combined to determine the alert conditions; as the system monitors the specified metric, if the alerts conditions are met, the system issues an alert based on the specified firing mode and the alert type.

For example, the following alert conditions result in a threshold alert when an HTTP 500 status code is observed more than 100 times during a ten minute period:

Monitored metric: extrahop.device.http_server:status_code?500

Firing mode: Edge-triggered

Alert expression: Value over 10 minutes > 100 per interval

Or, you can specify a per second, minute, or hour rate. For example, the following alert conditions result in a threshold alert when an HTTP 500 status code is observed more than 30 times per minute during a 10 minute period:

Monitored metric: extrahop.device.http_server:status_code?500

Firing mode: Edge-triggered

Alert expression: Value over 10 minutes > 30 per minute

The alert conditions for a trend alert are slightly different than for a threshold alert. The following settings result in a trend alert when a spike (75th percentile) in HTTP web server processing time that lasts longer than 10 minutes, and where the metric value of the processing time is 100% higher than the trend:

Monitored metric: extrahop.device.http_server:tprocess

Firing mode: Edge-triggered

Alert expression: 75th percentile over 10 minutes > 200 percent of trend

Alert History

After you have configured settings for an alert or two, you can check out the Alert History for any generated alerts. You can view all generated alerts on the Alert History page or you can view alerts generated from a specific source on an Alert History widget.

Alert History page

The Alert History page contains an entry for each alert generated during the selected time interval.

The Alert History page displays the following information for each entry:

A color-coded indicator of the user-defined severity level of the alert. The severity levels are Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug.
Alert name
The name of the alert specified in the alert configuration settings.

For anomaly alerts, the name also includes the anomaly title. Click the alert name to view anomaly details from the Anomalies page.

For threshold alerts, click the alert name to view the following additional details:

  • The alert description, if provided.
  • The alert expression, which specifies the conditions that generate an alert.
  • The value of the metric when the threshold was crossed.
Tip:To view trend alert details, click Alert History Legacy Layout in the left-hand pane, and then click on the trend alert name.
The name of the data source on which the alert conditions occurred. Click the source name to navigate to the source and display the protocol page that correlates to the protocol of the alert metric.

For example, if an alert configuration tracks when the HTTP processing time exceeds a specific threshold, click the source link to go to the HTTP protocol page of the source device or application.

If an alert is associated with multiple protocols, the link goes to the Overview page for the source instead of the protocol page.

The time of the most recent occurrence of the alert conditions.
Alert type
Indicates a trend, threshold, or anomaly alert.

Alert History widget

The Overview page for each application and device contains an Alert History widget that displays alerts generated from that source.

For example, if you have assigned an alert configuration to a device group, you can go to the Overview page for an individual device and see which alerts are generated from the device.

The Alert History widget provides the same alert information that is provided on the Alert History page, such as severity, type, and time.

Alert notifications

You can add notifications to an alert configuration, which enable you to review alerts with high priority severity settings through email or SNMP. When the alert is generated, notifications are emailed to specified addresses or sent to an SNMP listener.

The alert notifications contain information such as the severity level of the alert, the source, the alert conditions, and when the alerts was generated. For more information, see Add a notification to an alert configuration.

Exclusion intervals

You can define a time in which alerts are suppressed through an exclusion interval. When an exclusion interval is assigned to an alert configuration, alerts will be suppressed from the Alert History, email notifications, and SNMP listener.

For example, an exclusion interval enables you to prevent recurring, duplicate alerts in the Alert History about high database activity during hours the database is backed up. For more information, see Create an exclusion interval for alerts.

Published 2021-05-10 17:12