KBI 311503 Preventing False Positives Or Alert Flooding In Argent Defender Ultra

Version

Argent Defender Ultra 1611-B

Date

Wednesday, 4 January 2017

Summary

The ability to control how Alerts behave is key to preventing false positives and Alert flooding

Argent Defender Ultra has two critical Alerting options at the Session Replay level to give customers this control:

  • Post Event Even If Same Event Is Still outstanding (Unanswered)
  • Post Event Only After Rule Is Broken X or More Times Consecutively



Click For Full Size

Technical Background

Post Event If Same Event Is Still Outstanding (Unanswered)

This checkbox is enabled by default

By checking this checkbox, it basically means “send the Alert even if the same Alert was already fired”

If you uncheck this checkbox, there will be an extra lookup to see if the Event already exists in the Argent Console, and if the existing Event still has unanswered” status

If the same unanswered Event already exists, then no Alert is fired

This helps prevent Alert flooding

Let’s say the checkbox is checked

This means, no extra checks will be made and Alerts will be fired whenever an issue is found

Let’s say a website goes down at 12 midnight, and the web support team only operates during office hours

If Argent was configured to monitor their website every minute, the web support team would end up with 480 email Alerts, one for every minute, when they arrive at work at 8 a.m

Post Event Only After Rule Is Broken X or More Times Consecutively

This checkbox is NOT enabled by default

By checking this checkbox, this tells Argent to only trigger an Alert after the condition occurs X number of times consecutively

“Consecutively” is the key word in this option

Imagine each unique type of Event has an internal tally

The first time the Event is encountered, it increases by 1

In the next monitored session, if the Event is encountered again, the tally increases again

If the value of X is reached, then and only then is an Alert triggered

Similarly, if the Event is no longer encountered, this resets the tally back to zero

When the checkbox is checked, the min, max and default value of ‘X’ is 2, 99 and 2 respectively

This helps prevent false positives

Networks can occasionally have hiccups, and if a timeout occurs once – you may not necessarily want to be woken up at 3 a.m. in the morning

However, If the timeout occurs three times in a row, then it is far more likely that the web server or network is experiencing a real issue that needs to be looked into

Resolution

Upgrade to Argent Defender Ultra 1611-B