Alert definition example: abnormal URL traffic for software service user

In this example, we want to raise the alert if someone loads at least 25 price list pages.

Abnormal usage of the website can be detected by the Abnormal URL traffic for software service user alert, where we calculate the number of URLs loaded by any single user, compare this to the number of URLs with sensitive information (price pages in our case), and raise an alert if this exceeds the threshold. Configuration of this alert requires the definition of thresholds (such as the total number of pages and percentage of price pages in all loaded pages) and the price page pattern (*action=showprice*).

  1. Open the Alert management screen.

  2. Click Predefined.
    The predefined alerts are listed. In this example, we configure a predefined alert to suit our purposes. Details concerning the selected alert are shown under the list.

  3. Select Show disabled to display the alerts that are by default disabled.

  4. In the Filter box above the list, type abnormal to filter the list on that word.
    You want to find the Abnormal URL traffic for software service user alert.

  5. Click the Abnormal URL traffic for software service user alert to select it.
    That line will be highlighted in the list and the details concerning that alert will be displayed under the list.

  6. In the alert details and devices section (under the list), in the Actions column, select Actions  ► Edit alert for the device to which you want to apply this alert.
    When more than one CAS is listed, be sure to select the row for the CAS to which you intend to apply the alert.
    When you select Edit alert, the alert wizard will open for the selected alert and device.

Specify basic settings

  1. On the Alert basic settings page of the wizard, click Next to skip to the next screen.

In this example, there is no need to change the information on this tab. It is possible to edit the description and name, but this is generally not recommended, because you change the threshold values and other parameters, not the underlying predefined alert mechanism.

Define triggering and propagation conditions

On the Triggering and propagation settings page, on the Detection settings tab, set the values that will trigger the alert.

  • Set Lower limit of the unacceptable number of URLs to 25 to indicate that we might be interested if a single user loads more than 25 pages of any kind (restricted or not). If they are loading 25 or fewer pages, we do not care about them, but we might be worried if they load more than 25 pages, depending on whether they also match the other parameters.

  • Set Lower limit of the unacceptable number of restricted URLs to 70 to indicate that we are definitely interested if someone loads more than 25 pages (see above) and more than 70 percent of those pages match the Restricted URLs parameter.

  • Set Restricted URLs to "*action=showprice*" to match any of our price list pages.

Click Next.

Configure alert notifications

On the Alert notifications page of the wizard, click Next to skip to the next tab.

In this example, there is no specific example changes on this tab. Normally, however, you would use the tabs (E-mails,Trap recipients,Mobile,Script) to specify where and how to send out alerts. If you specify nothing here, the alerts will be written only to the alert log.

Click Next.

Review summary

On the Review summary page of the wizard, verify your alert settings before you apply them.

If you need to change anything, click Previous to go back to the appropriate page of the wizard.

Click Apply.

On the pop-up window you can select the option to save your changes as a draft, if you intend to make more changes now, or to immediately publish the changes if you want to make your changes live now.