Create an anomaly alert

Created:
January 31, 2024
Updated:
September 18, 2024

The anomaly detection alert on the FireTail platform is an algorithmic feature designed to identify irregular behavior of log requests compared to past patterns. An alert that is based on anomaly detection needs historical data to run.

When you create an anomaly detection alert on the FireTail platform 13 days of historical data is ingested. This historical data is used to create a band with high and low data points of expected values. This band is considered to be the normal data range. The high and low data points of the band (the thickness of the band) are impacted by the sensitivity value. After the alert has been created, the alert sensitivity can be adjusted. Increasing the sensitivity will result in a band with a wider range of high and low data points, meaning the band will be thicker. 

Note: Sensitivity is set to 2 by default, edit the sensitivity if necessary after you create an anomaly alert.

To receive an alert, first create a notification integration.

1. Navigate to Posture Management in the FireTail platform and select the Alerting tab in the FireTail platform. Click Create Alert.

2. Select the alert type as Anomaly detection.

3. In the Name section fill out the following:

  • Alert Name - Enter a name for the alert.
  • Enabled - Toggle on or off. This enables or switches off the alert.

4. Filters - Add a filters to the alert.

Managed filters

FireTail offers a set of managed, preconfigured alerts designed to detect various security threats. Select Managed and select the type of managed alert to apply to the alert. Select an API or API in the Filter traffic by API field, if required.

Learn more about Managed Alerts.

Custom filters

A Custom filter can contain a single condition or multiple conditions. There are various options you can select to filter by, such as response status codes, request path, tags and so on. Multiple filters can be added.

  • Select Custom.
  • Click Add Filter Group.
  • Select the required element from the Type dropdown.
  • Choose the appropriate Operator.
  • Enter a Value.
  • Click Submit.

Click Add to add any further conditions to the filter. Select Include or Exclude to determine if the requests displayed in the alerts dashboard must include or exclude the conditions defined in the filter. Multiple filters can be added.

Note: To customize a managed filter, select the filter in the managed section, then select Custom.

5. Add conditions for the alert. These conditions define the parameters that will trigger the alert. To do this:

  • Whenever the number of requests is - This defines when the alert is triggered. Choose the value from the dropdown:
    • Outside of the band
    • Greater than the band
    • Lower than the band
  • Within the last - Specify the time period for the system to evaluate requests for the alert conditions. Select the time period from the dropdown. This is the time window for alert checks. 

6. Expand the Additional Configuration. This optional setting defines the number of datapoints within the evaluation period that must be anomalous to trigger an alarm. The breaching data points don't have to be consecutive. For example, if you select 3 out of 5 datapoints to alarm, this means for the alarm to trigger a data breach must have occurred in at least 3 of the last 5 evaluation periods (The evaluation period represents the unit of time you selected in the Within the last field).

7. Enter a value in the Alert sensitivity level. This is the sensitivity of the anomaly detection. Higher sensitivity values detect smaller anomalies; lower sensitivity reduces false positives but may only detect significant anomalies. The default level is 2.0.

8. Notification Integration - Select the method in which you will receive your alert notification. Select a previously created integration from the dropdown, or click Create to create a new integration.

Note: when you create a notification integration you can define the text and information that will be displayed when an alert is sent. Learn how to Customize notifications.

9. Click Submit.

View the created alert in the Alerting tab. Here you can view the graph and set the sensitivity of the band.

Note: The graph preview is available after the model has finished training on the dataset.