The ExtraHop Addy™ service is a cloud-based service that applies machine learning techniques to wire data to automatically determine what is expected versus unusual behavior in your IT environment. Unlike other machine learning solutions that rely on logs or agent data, Addy applies machine learning technology without requiring you to configure anything.
Addy learns about normal network behavior by analyzing the data stored on your Discover appliance. After Addy is activated, you can then browse detected performance and security anomalies in the ExtraHop Web UI and investigate root causes for issues on your network.
Overall, Addy offers the following types of help:
- Uncover hidden issues before they create problems for your users
- Collect high-quality, actionable data to identify root causes of anomalies
- Find unknown performance issues, security issues, or infrastructure quirks
- Gain deeper insight into your network behavior
|Important:||Addy does not analyze sensitive information and data types. For more information, download ExtraHop Addy: Security Overview.|
Here are important considerations about anomaly detection with Addy:
- You must have an ExtraHop Addy service license or an ExtraHop Reveal(x) license.
- You must have full system privileges, access to the Admin UI, and access through any firewalls to connect a Discover or ExtraHop Reveal(x) appliance to the Addy service through ExtraHop Cloud Services. For more information, see Connect to the ExtraHop Addy service.
- You must have at least four weeks of wire data metrics stored on your Discover or ExtraHop Reveal(x) appliance before Addy can detect anomalies.
- When you create a user account with restricted read-only privileges, those users can only view the metrics in the dashboards that you share with them. Those users will be unable to view anomalies. For more information, see Share a dashboard with a restricted user.
- On a Command appliance, you can access anomalies on a connected Discover appliance or
ExtraHop Reveal(x) if that appliance is connected to Addy.
Note: A Command appliance can only connect to either Discover appliances or ExtraHop Reveal(x) appliances.
The ExtraHop Addy service is a cloud-based service that applies machine learning techniques to automatically determine what is normal behavior and what is unusual behavior in your IT environment. After you acquire a license for the Addy service, the license status and ExtraHop Cloud Services settings are automatically updated on your Discover appliance.
Before you begin
- Log into the ExtraHop Admin UI on the Discover appliance.
- In the Network Settings section, click ExtraHop Cloud Services.
- Click Terms and Conditions to read the content.
- After becoming familiar with the Addy service terms and conditions, select the checkbox.
- Click Connect to ExtraHop Cloud Services.
If the connection fails, there might be an issue with your firewall rules. See Troubleshoot your connection to the Addy service to identify and resolve the issue. If connection problems persist, contact ExtraHop Support for help by creating a case on the Customer Portal (requires login).
Addy detects security or IT operations anomalies depending on the type of Addy license you have.
The best way to stop attackers from stealing data or wreaking havoc on your network is to detect attacks before they cause harm. Even though attackers regularly develop new methods for evading detection, most attacks tend to follow familiar patterns or phases. The ExtraHop Addy service can detect anomalies associated with different phases of an attack. Addy tells you when a security risk occurred, which attack phase the risk is associated with, and which devices were affected by the risk.
|Note:||This topic only applies to the ExtraHop Reveal(x) system edition.|
Here are some important considerations about Addy security anomalies:
- You must have an ExtraHop Reveal(x) license to view security anomalies.
- Addy provides you with high-quality, actionable data about security risks. But these anomalies do not replace decision-making or expertise about your network. Always investigate anomalies to determine the root cause of the unusual behavior and when to take action.
When you log into the Web UI of your ExtraHop Reveal(x) and click Anomalies, an overview page appears with information about all the security anomalies detected during the selected time interval.
Below the timeline chart, an attack chain highlights the number of anomalies that are associated with a different attack phase, as shown in the following figure.
|Important:||Multiple anomalies in the attack chain can be associated with an attack. Anomalies associated with attack phases can be detected in any order.|
Addy detects the following security risk anomalies:
Addy is always on and always learning about network behavior across your IT infrastructure. Addy automatically surfaces network, application, and infrastructure problems and their root causes, so you can immediately focus on issues that matter.
Here are some important considerations about this type of anomaly:
- You cannot view IT operations anomalies if you have a ExtraHop Reveal(x) license.
- The Addy service provides you with high-quality, actionable data about potential performance and operation issues. But these anomalies do not replace decision-making or expertise about your network. Always investigate anomalies to determine the root cause of the unusual behavior and when to take action.
Addy detects anomalies in the following operational categories:
After activating Addy, a top menu item appears for anomalies. To browse anomalies detected by Addy, log into the Web UI and click Anomalies at the top of the page. You can then filter anomalies by time interval, protocol, category, applications, or devices. Anomalies are sorted by their start time and the most recent anomaly is listed first.
Configuring an anomaly alert from the Alerts page lets you monitor alerts or receive email notifications when a specific anomaly is detected. For more information, see the following topics:
The following steps show you how to find and filter anomalies:
Log into the Web UI on the Discover appliance, Command appliance, or ExtraHop
Reveal(x) and then click Anomalies at the top of the
A list of anomalies for the current time interval appears. If the list is empty, then Addy has not detected anomalies for the selected time interval.
In the left pane, filter anomalies by selecting the options as shown in the
The Anomalies page displays the total number of anomalies for the selected time interval and details about each detected anomaly. The following sections show you what information you can learn from anomalies.
The Timeline chart displays the total number of detected anomalies over time for the selected time interval. Each horizontal bar in the chart represents a single anomaly, so you can view the duration of each anomaly. Look for the tallest stack of bars to determine when the most anomalies occurred in the time interval. The total number of anomalies dynamically updates when you filter anomalies.
|Tip:||Hover over a bar to view the anomaly title, or click the bar to navigate directly to the anomaly detail page.|
Click and drag across an area on the chart (which will become highlighted in green) to zoom in on a specific time range. The time interval in the Discover or Command appliance dynamically updates to match the new time range in the chart, and details about each anomaly that was detected in that time range are displayed below the chart.
Each anomaly provides detailed information about the type of issue that occurred, when the issue occurred, and the source of the issue. Individual anomalies are listed below the Timeline chart, and they are sorted by their start time. The most recent anomaly is listed first.
The following figure shows you what type of information is provided within an individual anomaly:
- The title includes the anomalous metric and the device or application name that is the cause of the anomaly. Click the title to share an anomaly.
- The description provides information about what the anomaly means. For most anomalies, Addy
automatically surfaces detail metrics identified with Addy's machine learning capabilities, so
you can immediately begin your investigation.
For more information, see Investigate anomalies.
- The duration of the anomaly indicates how long the anomalous value was detected by
The minimum duration of an anomaly is one hour, because Addy detects anomalies by analyzing metric data with 1-hour granularity. If the duration value is displayed as ONGOING, the anomalous metric is in the process of being detected.
- Sparklines are simple line charts that show you the metric behavior that led up to the anomaly. The sparkline charts display a snapshot of metric data from the time frame around the duration of the detected anomaly (such as 6 hours), and not the overall time interval from the top of the page (such as the last 7 days).
- Peak Value
- The peak value is the maximum value from observed data that deviated from expected ranged for the duration of the anomaly.
- Expected Range
- The expected range includes values that represent a normal background level of activity, which is calculated based on 4 weeks of data. The expected range is the basis for comparison with observed values to detect changes in metric activity.
- A deviation is the quantity calculated by the Addy machine learning engine to indicate the extent of change from an expected range.
- Activity Maps
- Click Activity Map to open an activity map that displays all of the L7 protocol activity and device connections to the client or server in the anomaly. For more information, see Activity maps concepts.
- Click the feedback icon to
let us know if the anomaly was helpful. Your feedback is valuable and helps us improve our
anomaly detection process. All feedback is anonymous and will not have an immediate effect on
your anomalies. You can submit feedback for an anomaly more than once.
Note: The option to provide feedback is determined by user privileges, which are assigned by the ExtraHop administrator. For more information, see the User privileges section in the ExtraHop Admin UI Guide.
When you find an interesting anomaly, you want to quickly understand the root cause. Addy performs an automated investigation for most anomalies, which means that you can view detail metrics in the anomaly description to immediately learn what contributed to an issue. When multiple factors contribute to an anomaly, you can also see the percentage of their contribution to the anomaly. For example, the following figure show which client, server, and URI are linked to an HTTP 404 anomaly.
|Note:||Automated investigation is not available for server processing time anomalies. For these anomalies, you can investigate anomalies from a protocol page in the Discover or Command appliance.|
To learn more about the scope of an anomaly on your network, you can continue your investigation by opening an activity map or visiting a protocol page.
When a single client or server is associated with unusual L7 protocol activity, such as a high number of HTTP errors or DNS request timeouts, an activity map link appears.
- Log into the Web UI on the Discover or Command appliance and then click Anomalies at the top of the page.
Find the anomaly that you want to investigate. The following figure shows an
example of the Activity Map link for a database server
that sent an unusual number of errors.
Click Activity Map.
An activity map appears for the database server. The activity map in the following figure shows the two database clients that were connected to the server during the anomaly time frame.
- Click any client in the map to access a menu that contains a Go to
Device... link. Click the link to open a protocol page with
client metrics, such as requests and responses.
- In the left pane below Step 1, click Add
Step and then click All Peers in the
drop-down list. The map updates to show you which downstream devices are
connected to the database clients, as shown in the following figure.
- Save and then share your activity map with other ExtraHop users.
For more information about activity maps, see Activity maps concepts.
If you want to further investigate anomalous metrics, you can navigate to a protocol page where you have access to additional charts, metrics, and tools.
- Log into the Web UI on the Discover or Command appliance and then click Anomalies at the top of the page.
- Find the anomaly that you want to investigate.
Click the source name, as shown in the following figure.
The anomalous protocol page for the device or application appears, which displays all of the metric data associated with that specific device or application during the anomaly time interval, as shown in the figure below.
Addy provides you with high-quality, actionable data about anomalies—but does not replace decision-making or expertise about your network. The following best practices explain how to determine which anomalies are worth further investigation and when to take action.
- Change the time interval to see when anomalies occurred
- Learn if anomalies occurred before, after, or during a reported problem. For example, does
the time frame of the anomaly coincide with a reported issue, such as slow load times or login
times? You can also compare anomalies from the past month to the current date, which gives you
a sense of whether the occurrence or severity of anomalies is changing over time.
For more information, see Find and filter anomalies.
- Create an anomaly alert
- You can configure an alert to receive email notifications when an anomaly occurs. Anomaly
alerts also help you quickly find anomalies for a specific device or application on the Alert History page.
For more information, see Configure Addy anomaly alert settings.
- Filter anomalies by protocol
- Filter by protocol to quickly monitor critical protocols with a role in security, commerce,
or communication processes.
For example, an FTP 530 error anomaly might indicate that someone is trying to gain unauthorized access to information on your network. Or Citrix server and client latency anomalies might indicate that users are experiencing long load times for their roaming desktop profiles.
Selecting different protocols can also show you how anomalies correlate to each other. An anomalous HTTP response time followed immediately by an anomalous CIFS server processing time might suggest that web servers are dependent on how quickly your file storage servers can send and receive file data.
For more information, see Find and filter anomalies.
If you find an anomaly that you want to share, you can send the URL from the anomaly detail page to other ExtraHop users.
Here are some important considerations about sharing anomalies:
- You must copy and share the entire URL.
- To view the anomaly, an ExtraHop user must have access to the Discover appliance or ExtraHop Reveal(x) where the anomaly was detected.
The following steps show you how to select and share an anomaly:
- Log into the Web UI on the Discover or Command appliance where Addy is licensed and then click Anomalies at the top of the page.
- Find the anomaly that you want to share.
Click the anomaly title, as shown in the following figure.
- At the top of the browser, copy the entire URL. You can now send this URL to other ExtraHop users who have access to the Discover appliance where the anomaly was detected.
- Configure an anomaly alert to receive email notifications about an anomaly.
The following section contains reference information about the Addy service.
This section provides some background information on how the ExtraHop Addy service identifies anomalies.
Anomalies are unexpected deviations from normal patterns in device or application behavior. Addy detects anomalies from stored Discover appliance data with a proprietary algorithm that combines time series decomposition, unsupervised learning, heuristics, and ExtraHop's unique domain expertise. This combination helps to ensure that detected anomalies are both accurate and actionable. By detecting an anomaly as soon as it happens, you can identify and resolve a potential issue before it becomes a larger problem. You can also review historical anomaly data to investigate issues related to known security or network outage events.
In most network monitoring tools, anomalies are detected through manually-configured alerts and trend models for individual devices. However, as your network changes—because of hardware reconfigurations, organization mergers, business growth, or the addition of applications to your network—these types of alerts and models can become quickly outdated and potentially inaccurate. Addy automatically delivers consistent and accurate results about anomalous metrics and protocols without requiring manual configuration for individual devices. The Addy machine learning engine analyzes the historical behavior of individual devices, and automatically adapts to each device across time when there are changes to the expected range of data in your network.
Here is how Addy anomaly detection generally works: the metrics that the Addy machine learning engine analyzes come from wire data that is collected by your Discover appliance. The Discover appliance processes this data, generates metrics, and associates the metric data with protocols, devices, and applications. Addy retrieves a subset of protocol metrics from the Discover appliance to analyze and report results about detected anomalies.
- Observed data, collected in real-time by the Discover appliance
- Expected range data, calculated from four weeks of historical data collected by the Discover appliance
- Threshold values, which are automatically adjusted by the algorithm based on historical metric data and heuristics defined by the IT networking domain experts at ExtraHop
|Note:||If you need to define a specific threshold value for an anomaly, which might be associated with a service level agreement (SLA) for example, we recommend manually configuring an alert in the Discover appliance.|
Essentially, an anomaly is detected when observed data deviates from the expected range of data by a significant amount. You can then view analysis results about anomalies on the Anomalies page in the Web UI of the Discover appliance. For each anomaly, Addy provides the measured deviation (which is the difference between the observed value and the expected range), the anomaly value, and the expected range of normal metric values at the time of the anomaly.
Addy also provides anomalous 50th percentile or 75th percentile values for a subset of metrics that account for server processing time.