Threshold Alert Rules

Architecture and Flow

The Activity Analytics service is responsible for the threshold calculation and issuing threshold-based alerts.

Activities are evaluated against threshold alert rules by the Event Manager during the processing of the activities, and if they match, they are marked as candidates for a threshold calculation.

The Activity Analytics queries the Elasticsearch defined interval to gather activities candidate for threshold alerts. It then aggregates the activities and when the threshold is met, issues an alert and a response according to the definition in the threshold alert rule.

Limitations

Anytime there is a temporary disconnection between the Activity Monitoring and the Event Manager, activities received more than 15 minutes after the activity time will be kept in the Database with the original Activity time, but will not be included in the Threshold Alert Rules calculation. However, if an Alert has already been created, the Activities that originated in the Alert timeframe, but were received after the 15-minute time window, will be updated in the relevant existing Alert record. As a result, the total number of Activities in the existing Alert record will increase.

The 15-minute time window helps limit the memory required for the Threshold Alert Rules calculation.

Please review the Compass forum for best practices. If required, the PS team can change the time window in the Database.

If Windows activities have more than one shared path, the system sends duplicate activities for a threshold alert calculation. For example, if Folder1 can be accessed by \\MyServer\Folder1 and by \\MyServer\C$\Main\Folder1, each activity performed in Folder1 appears twice in the Database, each time, with a different shared path.

To prevent duplicate activities from being calculated in the total number of activities required to create a threshold alert, select Windows as the application type in the scope, and set the following filter in the Alert Rule > Rule Criteria Filter section:

  • Attribute = Original Access Path (OAP)

  • Operator = Empty

All duplicated Activities have the OAP field as part of the original path. Adding this filter causes the Threshold Alert Rule to ignore all duplicated Activities and to calculate only the original Activity.

Create/Edit a Threshold Alert Rule

See for information on creating a Threshold Alert rule.

Only administrators, not data owners, can view threshold alerts in Activity Forensics or in Reports.