Investigate anomalies with Addy

When you find an interesting anomaly, you want to better understand the root cause. You can begin your investigation by reviewing information revealed by automated investigation or by navigating to a protocol page.

Addy automated investigation

Addy performs an automated investigation for most anomalies, which means that you can view detail metrics in the anomaly description to immediately learn what contributed to an issue.

In the following figure, you can see which client, server, and URI are linked to an HTTP 404 anomaly.

When multiple factors contribute to an anomaly, you can also see the percentage of their contribution to the anomaly. For example, the following figure shows the top two DNS servers that sent an excessive number of DNS errors to a client during the detected anomaly.

Note:Automated investigation is not available for server processing time anomalies. For these anomalies, you can investigate anomalies from protocol pages in the Discover or Command appliance.

If you want to further investigate anomalous metrics, you can navigate to a protocol page where you have access to additional metrics and tools, such as activity maps.

  1. Log into the Web UI on the Discover appliance, Command appliance, or ExtraHop Reveal(x) and then click Anomalies at the top of the page.
  2. Find the anomaly that you want to investigate.
  3. Click the source name, as shown in the following figure.

    The anomalous protocol page for the device or application appears, which displays all of the metric data associated with that specific device or application during the anomaly time interval, as shown in the figure below.

Next steps

From a protocol page, you can then choose one of the following options to further investigate metric data:

Best practices for investigating anomalies

Addy provides you with high-quality, actionable data about anomalies—but does not replace decision-making or expertise about your network. The following best practices explain how to determine which anomalies are worth further investigation and when to take action.

Change the time interval to see when anomalies occurred
Learn if anomalies occurred before, after, or during a reported problem. For example, does the time frame of the anomaly coincide with a reported issue, such as slow load times or login times? You can also compare anomalies from the past month to the current date, which gives you a sense of whether the occurrence or severity of anomalies is changing over time.

For more information, see Find and filter anomalies.

Create an anomaly alert
You can configure an alert to receive email notifications when an anomaly occurs. Anomaly alerts also help you quickly find anomalies for a specific device or application on the Alert History page.

For more information, see Configure Addy anomaly alert settings.

Filter anomalies by protocol
Filter by protocol to quickly monitor critical protocols with a role in security, commerce, or communication processes.

For example, an FTP 530 error anomaly might indicate that someone is trying to gain unauthorized access to information on your network. Or Citrix server and client latency anomalies might indicate that users are experiencing long load times for their roaming desktop profiles.

Selecting different protocols can also show you how anomalies correlate to each other. An anomalous HTTP response time followed immediately by an anomalous CIFS server processing time might suggest that web servers are dependent on how quickly your file storage servers can send and receive file data.

For more information, see Find and filter anomalies.

Published 2021-06-21 09:56