SUSP_URL_TRAFF

This alert is triggered when abnormal traffic for a software service user is detected for a specified URL.

Important

This alert heavily degrades report server performance. Create only a limited number of such alerts.

Characteristics

Name: Abnormal URL traffic for software service user

Type: anomalies

Status (default): enabled

Detector: built-in, non-SQL

Message

“Abnormal URL traffic for user *IP_address* (*name*), software service *software_service_name* .”

“The total of URLs requested by the user: *number_of_URLs* .”

“The percentage of the restricted URLs: *percentage_restricted_URLs* %.”

“The distribution of the restricted URLs: *distribution_restricted_URLs* .”

Important

This alert does not track the activity of clients that use IPv6 addresses.

Detector parameters

  • Lower limit of the unacceptable number of URLs (number)
    The lower limit of unacceptable values of the number of hits. Default: 100 .
  • Lower limit of the unacceptable number of restricted URLs [%] (number)
    The lower limit of the ratio of URL traffic to restricted resources and URL traffic to all resources. Default: 50% .
  • Restricted URLs (string)
    The set of URLs representing the restricted resources. The set is composed of URLs separated by space character.
  • Toggle [0/1] to show the distribution of the restricted URLs (number)
    The default value of 0 does not show the distribution of the restricted URLs.