The anomaly detection alert on the FireTail platform is an algorithmic feature designed to identify irregular behavior of log requests compared with past patterns. An alert that is based on anomaly detection needs historical data to run.
When creating an anomaly detection alert, FireTail ingests 13 days of historical data to build a data band with high and low expected values. This band represents normal traffic patterns. The thickness of the band (i.e., the range of high and low values) is determined by the sensitivity setting. Adjusting the sensitivity setting will impact the width of the band, with higher sensitivity resulting in a thicker band.
Note: Sensitivity is set to 2 by default. You can adjust this sensitivity after creating the alert to fit your monitoring needs.
To receive an alert, first create a notification integration.
1. Navigate to Posture Management in the FireTail platform and select the Alerting tab in the FireTail platform. Click Create Alert.
2. Select the alert type as Anomaly detection.
3. In the Name section fill out the following:
4. Filters - Set filters to determine which requests to monitor.
A Custom filter can contain a single condition or multiple conditions. There are various options you can select to filter by, such as response status codes, request path, tags and so on. Multiple filters can be added.
Click Add to add any further conditions to the filter. Select Include or Exclude to determine if the requests displayed in the alerts dashboard must include or exclude the conditions defined in the filter.
FireTail offers a set of managed, preconfigured alerts designed to detect various security threats. Select Managed and select the type of managed alert to apply to the alert. Select an API or API in the Filter traffic by API field, if required.
Learn more about Managed Alerts.
Note: To customize a managed filter, select the filter in the managed section, then select Custom.
5. Add conditions for the alert. These conditions define the parameters that will trigger the alert. To do this:
6. Additional Configuration (optional).
Define the number of data points within the evaluation period that must be anomalous to trigger an alert. This allows you to specify how many breaching data points (non-consecutive) are needed to trigger an alarm. Example: If you select 3 out of 5 data points, the alert will trigger if at least 3 of the last 5 evaluation periods show anomalous data.
Note: The evaluation period represents the unit of time you selected in the Within the last field.
7. Enter a value in the Alert sensitivity level. This is the sensitivity of the anomaly detection. Higher sensitivity values detect smaller anomalies; lower sensitivity reduces false positives but may only detect significant anomalies. The default level is 2.0.
8. Notification Integration - Select the method in which you will receive your alert notification. Select a previously created integration from the dropdown, or click Create to create a new integration.
Note: when you create a notification integration you can define the text and information that will be displayed when an alert is sent. Learn how to Customize notifications.
9. Click Submit.
View the created alert in the Alerting tab. Here you can view the graph and set the sensitivity of the band.
Note: The graph preview is available after the model has finished training on the dataset.
