Skip to content

Threshold Alert Rules

The Activity Analytics service is responsible for calculating thresholds and triggering threshold-based alerts.

Activities are evaluated against threshold alert rules by the Event Manager during the activity processing. If activities match the threshold criteria, they are marked as candidates for threshold calculations.

The Activity Analytics queries the Elasticsearch defined interval to gather activities candidate for threshold alerts. These activities are aggregated, and when the threshold is met, an alert is issued along with a response based on the threshold alert rule definition.

Limitations

If there is a temporary disconnection between Activity Monitoring and the Event Manager, activities received more than 15 minutes after their original activity time will be stored in the database with the original timestamp. However, they will not be included in the threshold alert calculation. However, if an alert has already been created, activities received after the 15-minute window will still be added to the existing alert record. This will increase the total number of activities associated with the alert.

The 15-minute time window helps limit memory usage required for threshold calculations.

For adjustments to the time window, consult the Compass forum for best practices. The PS team can change the time window in the database if necessary.

If Windows activities share multiple access paths, duplicate activities may be sent for threshold calculation. For example, an activity in Folder1 accessed by both \\MyServer\Folder1 and \\MyServer\C$\Main\Folder1 will be recorded twice.

To prevent duplicate activities from affecting threshold calculations, select Windows as the application type in the scope and apply the following filter in the Alert Rule > Rule Criteria Filter section:

  • Attribute: Original Access Path (OAP)
  • Operator: Empty

All duplicated Activities have the OAP field as part of the original path. Adding this filter causes the Threshold Alert Rule to ignore all duplicated Activities and to calculate only the original Activity.

Create/Edit a Threshold Alert Rule

For instructions on creating a Threshold Alert Rule, refer to the relevant section.

Note

Only Administrators, not Data Owners, can view threshold alerts in Activity Forensics or in Reports.