Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Reason for triggeringIf there is a sudden spike or a drop in the request count within a period of one minute by default for a particular API resource.
IndicationThese alerts could be treated as an indication of a possible high traffic, suspicious activity, possible malfunction of the client application, etc.
Description

This alert is triggered if there is a sudden spike in the request count within a period of one minute by default for a particular API for an application. These alerts could be treated as an indication of a possible high traffic, suspicious activity , possible malfunction of the client application, etc.


Abnormal resource access pattern

Reason for triggeringIf there is a change in the resource access pattern of a user who uses a particular application.
IndicationThese alerts could be treated as an indication of a suspicious activity made by a user over your application.
Description

A Markov Chain model is built for each application to learn its resource access pattern. For the purpose of learning the resource access patterns, no alerts are sent during the first 500 (default) requests. After learning the normal pattern of a specific application, WSO2 Analytics performs a real time check on a transition done by a specific user, and sends and alert if it is identified as an abnormal transition. For a transition to be considered valid, it has to occur within 60 minutes by default, and it should be by the same user.

Image RemovedImage Added

The above diagram depicts an example where a Markov Chain model is created during the learning curve of the system. Two states are recorded against Application A and the arrows show the directions of the transitions. Each arrow carries a probability value that stands for the probability of a specific transition taking place. Assume that the following two consecutive events are received by the application from user john@abc.com.

  1. DELETE /API1/number/1
  2. DELETE /API1/number/3

The above transition has happened from the DELETE /API1/number/{x} state to itself. According to the Markov chain model learnt by the system, the probability of this transition occurring is very low. Therefore, an alert is sent.

This alert is triggered if there is a change in the resource access pattern of a user of a particular application. These alerts could be treated as an indication of a suspicious activity made by a user over your application.

...

Reason for TriggeringIf there is either a change in the request source IP for a specific API of an application, or if the request if from an IP used before 30 days (default).
Indication

These alerts could be treated as an indication of a suspicious activity made by a user over an application.

Description

Image RemovedImage Added

This alert is triggered if there is either a change in the request source IP for a particular application by a user or if the request is from an IP used before a time period of 30 days (default). The first 100 requests by a user are used only for learning purposes by default and therefore, no alerts are sent during that time. However, the learning would continue even after the first 100 requests by a user. This means, even if you receive continuous requests from the newly detected IP2 IP, you are alerted only once. 

...

Reason for Triggering

This alert is triggered in the following scenarios.

  • If a particular application is throttled for reaching a subscribed tier limit more than the specified number of times during a defined period (10 times within an hour by default).
  • If a particular user of an application is throttled for reaching a subscribed tier limit of a specific API more than the specified number of times during a defined period (10 times within an hour by default).

Image RemovedImage Added

IndicationThese alerts indicate that you need to subscribe to a higher tier.

...