EXC_ACT2

This alert detects when a user generates a high volume of traffic (excessive activity). The alert does not use a SQL-based detector, which is faster, but not configurable. It is similar to EXC_ACT .

Characteristics

Name: Excessive number of servers used by user. Top software service identified. Non-SQL detector.

Type: anomalies

Status (default): enabled

Detector: non-SQL-based

Message

“Excessive activity of user *IP_address* (*user_name*).”

“The top software service *software_service_name* .”

“The number of servers connected through the software service: *#server_count* (*server_percentage* %).”

“The total number of servers the user has connected to: *#user_servers* .”

“The number of servers has exceeded the *#limit* .”

Detector parameters

Overriding values can be specified in the *<installation directory>*\config\alarmdetectorparams-rtm.config` configuration file.

This alert is triggered when a user generates a high volume of traffic (excessive activity) that may be considered excessive or suspicious activity.

Characteristics

Name: Excessive number of servers used by user. Top software service identified.

Type: anomalies

Status (default): enabled

Detector: SQL-based

Message

“Excessive activity of user *IP_address* (*user_name*).”

“The top software service *software_service_name* .”

“The number of servers connected through the software service: *#server_count* (*server_percentage* %).”

“The total number of servers the user has connected to: *#user_servers* .”

“The number of servers has exceeded the *#limit* .”

Detector parameters

Overriding values can be specified in the \config\alarmdetectorparams-rtm.config configuration file.

  • Multiplier of the normal number of servers (number)
    Scaling factor for the normal value of the number of servers for monitored traffic. The scaled value constitutes the lower limit of unacceptable values. Default value: 5.

  • Lower limit of the unacceptable number of servers (number)
    The lower limit of unacceptable values of the current number of servers for monitored traffic. Default value: 20. Note : Both limits—the one defined by scaling factor {0} combined with the normal value and the one supplied in parameter {1}—have to be exceeded for the alert to be generated.

  • Alternative lower limit of the unacceptable number of servers (number)
    The lower limit of unacceptable values of the current number of servers for whole traffic. The limit is used if the current number of servers for monitored traffic is not an unacceptable value according to criteria based on parameters {0} and {1}. Default value: 100.