Alert Dashboards
Kentik Detect’s Alerting section includes two pages that are used to view the alarms and mitigations that are generated by alert policies. These tabs are covered in the following topics:
Notes:
- Alert dashboards are specific to the alerting system and are distinct from the dashboards in the Dashboards section of the Kentik Detect portal.
- For general information on policy alerting, see Policy Alert Overview.
- For information on settings for alert policies, see Alert Policies.
- For information on alert-related notifications, see Alert Notifications.
- For information on mitigation for alerts, see Mitigation.
Active Alerts
The Active Alerts page of the portal’s Alerting section is covered in the following topics:
About Active Alerts
The primary function of the Active Alerts page is to provide a list of active alerts and mitigations as well as those that are waiting for acknowledgement. The list displays important information about each alert or mitigation, including the alert policy that triggered it (see About Alerts and Policies), its current state (see Alert States), and the key whose traffic matched the conditions specified in one of the policy’s thresholds. The content on this page, which also contains additional indicators and information (see Active Alerts Page UI), is refreshed at a user-selectable interval and displays up to 500 items.
Active Alerts Page UI
The Active page (shown below with dark theme) is made up of the following UI elements:
- Alerting counters: A display across the top showing the total number of mitigations, alarms, and required acknowledgements reported during the last seven days. The background color of each tile varies depending on the severity of the current state. See Alerting Counters.
- Alerting scoreboard: A matrix displaying the policies that are active based on a given dimension that is specified during scoreboard configuration. See Alerting Scoreboard.
- Filter field: Filters the Active Alerts List to show only rows containing the entered text in one of the following fields: policy, key, value, ID, start/end time.
- Auto-refresh selector: Choose the interval at which the page will be refreshed.
- Active Alerts list: A table listing currently active alerts (see Active Alerts List).
Alerting Counters
Displayed across the top of the Active page, the alerting counters are a set of summary tiles (shown above), one for each of three types of events:
- Mitigations: Shows a count of how many alerts are currently being mitigated, either automatically or manually, and includes a Start Manual Mitigation button (+ sign) that opens the Start Manual Mitigation Dialog. The background color of the tile varies depending on the count:
- Grey: No mitigations currently in progress.
- Purple: 1 or more mitigations currently in progress. - Alarms: Shows a count of alerts that are in ALARM state, meaning that the conditions defined in the alert policy have been met and notifications have been triggered. A count of the alarms at each severity is also included. The background color of the tile varies depending on the severity (minor, major, critical) of the most severe alarm:
- Grey: No alarms currently active
- Dark Red: The highest severity level is Critical.
- Red: The highest severity level is Major.
- Orange: The highest severity level is Minor. - Acknowledgements: Shows a count of alerts that are in ACK_REQ state, meaning that the conditions that resulted in an alarm are no longer present, but an acknowledgement is required from a user in your organization before the alert is removed from the active list. The background color of the tile varies depending on the count:
- Grey: No acknowledgements pending.
- Blue: 1 or more acknowledgements pending.
Note: An alarm is acknowledged by clearing it. To manually clear an alarm, click the checkbox at the left of the alert’s row in the Active Alerts List, then click the Clear button.
Alerting Scoreboard
Displayed below the alerting counters, the scoreboard is a matrix — visible to all users in your organization — that lets you quickly see the most urgent alarms for a set of alert policies that share a common group-by dimension (see Dimensions in Data Funneling). The scoreboard dimension is chosen when the matrix is configured (click the Configure button to edit the configuration; see Scoreboard Configuration).
Note: In addition to the scoreboard in alerting, you can also define a scoreboard as a dashboard panel; see Add Alert Scoreboard in Edit Mode Controls.
Scoreboard Columns and Rows
The columns of the scoreboard each represent an individual dimension (see Dimensions Reference) whose value has caused a threshold in an alert policy to trigger an alarm. For example, if the scoreboard dimension is set to Interface then each column will represent the value (name) of one interface that has met the conditions required to trigger an alarm in at least one policy, making the policy active (its current state is either ALARM or ACK_REQ; see Alert States).
By default, the rows of the scoreboard represent the policies (named in the first column) that are currently active with respect to the scoreboard dimension. If the scoreboard dimension is IP/CIDR then there may also be a row representing active mitigations.
Note that a scoreboard doesn’t show every currently active policy (row) or every dimension value (column) that has triggered an alarm, only those that are active in relation to the scoreboard dimension. Further, because the area available to display the scoreboard is not infinite, the number of columns and rows are each limited as part of the scoreboard configuration (see Limit To in Configure Scoreboard Settings). Given those limits, the scoreboard algorithm chooses, based primarily on alarm severity and secondarily on number of alarms triggered, which dimension values and policies will be represented in the scoreboard.
Scoreboard Cells
Each cell in the scoreboard represents the set of alarms (active alerts) related to an individual dimension value (column) in a given policy (row). Displayed in each cell is the count of the alarms with the highest severity level (see Alarm Counts and Severity). In the scoreboard shown below, for example:
- The traffic on the IP/CIDR represented by the fourth column has triggered:
- One minor alarm (orange) in the policy UDP_BADPORTS.
- One major alarm (red) in the policy UDP_HIGHBPS. - The traffic on the IP/CIDR represented by the fifth column has triggered:
- One alarm in the policy UDP_BADPORTS that is currently awaiting acknowledgement (blue).
- One critical alarm (dark red) in the policy UDP_HIGHBPS. - There are also active mitigations on the IP/CIDRs represented by the second and third columns.
- Where there is neither an active alert nor a mitigation, the cell displays a green checkmark.
Alarm Counts and Severity
Many alert policies will have multiple dimensions (see Dimensions Reference) specified in the Data Funneling settings. These dimensions combine to define a key (see About Keys), which represents a subset of traffic that has a unique combination of the dimension values. The traffic represented by each key is evaluated by the alerting system and will trigger an alarm if it meets the conditions defined in any threshold of an alert policy.
When a policy uses multiple dimensions, one of which is the scoreboard dimension, a given value for the scoreboard dimension can be present in multiple keys that have triggered alarms. As an example, consider a policy whose dimensions are Device and IP/CIDR. Each key — the unique combination of a device and an IP/CIDR — whose traffic meets the conditions in any of the policy’s thresholds would trigger an alarm. If the scoreboard’s dimension is device, a count of those alarms will be displayed in the scoreboard cell whose column is the device and whose row is the policy. The count is kept separately for each threshold severity level:
- If the traffic via one individual device to each of five different IPs has triggered an alarm for either of the policy’s major thresholds (Major or Major 2), then the count of major alarms in that policy for that device would be five. Absent any critical alarms, the number 5 would be shown in the cell against a background of red (the color of major alarms).
- If at the same time two other keys with the same device (but different IPs) have triggered alarms on the policy’s Critical threshold, then the count of critical alarms for that device on that policy is two. Because critical alarms trump less severe alarms, the number 2 would be shown in the cell against a background of dark red (the color of critical alarms).
Alert Details Dialog
The Alert Details dialog presents information about one or more policies that have active alerts that were triggered by a key that includes the scoreboard dimension (see Alarm Counts and Severity). The columns (State, Policy, etc.) of the table in the dialog are a subset of the columns of the Active Alerts list (for column descriptions, see Active Alerts List).
The alarms that will be shown in the dialog shown depends on how it is opened:
- When you click on a policy name in the left-hand column of the scoreboard, the dialog lists all active alarms in that policy.
- When you click the Show Alarms button in a Cell Details Popup, the dialog shows all of the alarms that match both the policy (row) and dimension value (column) of the cell from which the popup was opened.
Note: The Alert Details dialog may include alarms that are not shown in the scoreboard itself due to the Limit To configuration described in Configure Scoreboard Settings.
Cell Details Popup
Click on an individual cell in the scoreboard to open the Cell Details popup, which summarizes information about the alarms that match both the policy (row) and dimension value (column) of the cell. The following information is displayed:
- The count of alarms at each severity level that has an active alarm.
- The dimension value.
- The policy name.
- The Show Alarms button, which opens the Alert Details Dialog.
Scoreboard Configuration
The alerting scoreboard is configured in the Configure Scoreboard dialog. To open the dialog, click the Configure button that appears in the heading row of the Alerting Scoreboard.
Notes:
- The scoreboard is company-wide. Any changes made in the Configure Scoreboard dialog will affect how the scoreboard appears to all users in your organization.
- In addition to alerting scoreboards, the configuration information below applies as well to scoreboards in dashboard panels.
Configure Scoreboard Dialog UI
The Configure Scoreboard dialog has the following generic UI elements:
- Close button: Click the X in the upper right corner to close the dialog. All elements will be restored to their values at the time the dialog was opened.
- Remove button: Opens a confirming dialog that allows you to remove the current scoreboard configuration.
- Cancel button: Cancel the scoreboard configuration and exit the dialog. All elements will be restored to their values at the time the dialog was opened.
- Save button (Edit Dashboard dialog only): Save changes to dashboard settings and exit the dialog.
Configure Scoreboard Settings
The Configure Scoreboard dialog has the following settings:
- Dimension: The dimension (see Dimensions Reference) whose individual values are represented as columns in the scoreboard. For example, if dimension is set to Interface then each column in the scoreboard will represent the value (name) of one interface that has met the conditions required to trigger an alarm in at least one policy.
- Limit To (columns): The maximum number of dimension values that will be included in the scoreboard. If this number is less than the number of keys in alarm, then the dimension values to include in the scoreboard are chosen by an algorithm based on the severity and number of alarms.
- Policies: The rows of the scoreboard:
- Show all with active alarms (default): The policies that are currently active with respect to the scoreboard’s dimension.
- Always show specific policies: Policies chosen from the policy selector. The list of available policies includes only policies in which the scoreboard dimension is included in the key. - Limit To (rows; shown only when Policies is set to Show all with active alarms): The maximum number of policies that will be included in the scoreboard. If this number is less than the number of policies with alarms whose keys include the scoreboard dimension then the policies to include in the scoreboard are chosen by an algorithm based on the severity and number of alarms.
- Policy selector (shown only when Policies is set to Always show specific policies): A list of policies in which the scoreboard’s dimension is included in the policy’s dimensions (see Data Funneling). To include a policy in the scoreboard, check the box at the left of that policy in the list.
- Thresholds: Determines the severity, as indicated by background color, that will be assigned to the cells of the scoreboard based on the count of alarms at various severity levels (see Alarm Counts and Severity):
- Critical (dark red): Set the number of critical alarms or major alarms required to assign a cell severity level of Critical.
- Major (red): Set the number of major alarms or minor alarms required to assign a cell severity level of Major.
- Minor (orange): Set the number of minor alarms required to assign a cell severity level of Minor.
- ACK Required (blue): Set the number of acknowledgement required alarms required to assign a cell severity level of ACK Required.
Each of the thresholds listed above also has a toggle switch that determines whether alarms of the corresponding severity are Enabled (displayed) or Disabled (hidden) in the scoreboard.
Active Alerts List
The Active Alerts List is a table of up to 500 rows in which each row is one of the following:
- An alert that is currently active (in ALARM state).
- An alert that is waiting for acknowledgement (in ACK_REQ state) as specified with the Acknowledge Required setting in a threshold; see General Threshold Settings.
- A mitigation that is currently active or waiting for acknowledgement (see Threshold Mitigations).
The Active Alerts List provides the following information and actions for the rows in the list:
- Select checkbox: A checkbox that includes the row in a set of rows that will be acted on by the Clear button. To select all rows at once, click the selection box in the column header.
- Clear button: Appears to the right of the Filter field when one or more select checkboxes is checked. The clear action applied to each selected row depends on the type of that row (alarm or mitigation):
- Clear alarm: Takes the alert that generated the alarm out of alarm state.
Note: If the conditions that caused the alarm to trigger are still occurring at the next refresh (the timing of which depends on the polling frequency of the alert policy), then a new alarm for the same threshold will appear on the Active Alerts List.
- Acknowledge alarm: Acknowledges an alert that is currently in ACK_REQ state.
- Clear mitigation: Stops the mitigation (equivalent to clicking the Stop icon in the actions at the right of the row). - State: Indicates the current state of the alert (see Alert States).
- Policy: Indicates the policy name and criticality (Critical, Major2, Major, Minor2, Minor) as defined in an alert threshold. Clicking to the left of the name drops down a menu with the following items:
- View Alarms: Opens the History page, filtered by the policy (see Alert History Filter).
- Edit Policy: Opens the Edit Alert Policy dialog (see Alert Policy Dialogs). - Key/Dimension: The dimensions (see Dimensions Reference) of the key definition, and their values for the keys that caused the alert to enter alarm state (see About Keys). The key can be placed in Silent Mode by clicking the Plus (+) icon in the row’s column.
- Value: For alarms and matches (not mitigations), this cell contains the following:
- Value: A line giving the sum total value returned by the key as defined by the alert policy’s query. The top-X ranking of traffic is performed by evaluating the volume, as measured in the primary metric, of the traffic (across the selected devices and filtered by the specified filters) represented by the key.
- Baseline: A line giving the baseline value from which the alarm threshold has deviated. The baseline can be either static or calculated as defined by the alert policy.
Note: Hover over the baseline information to open a tool tip containing a baseline code (see Baseline Codes). - Mit ID/Alarm ID: The system-generated unique ID assigned to the alarm or mitigation when it was triggered. The ID can be clicked to display the item on the History page along with any related alarms and mitigations.
- Start/End: The time (UTC) of the following:
- The start time of the event that triggered the alarm state or mitigation.
- If the event is waiting for an acknowledgement, the end time of the event that triggered the alarm state. Otherwise the alarm or mitigation is indicated as “Currently Active.” - Actions: See Active Alerts Actions.
Note: A policy that is in error state is not currently indicated as such in the Active Alerts List. For more information, see Policy Error State.
Active Alerts Actions
The actions that can be taken on an active alert or mitigation in the Active Alerts List are applied with the action icons shown at the right of each row. Available actions depend on whether the row represents an alarm or a mitigation.
Alarm Row Actions
The following actions are available in rows representing alarms:
- Open in Explorer: Opens Data Explorer in a new browser window or tab, with the sidebar set to correspond to the values of the alarm’s key. For example, if the key’s dimension is Destination:IP (IP_dst) and the value of the key in the alarm is 60.54.101.8 then there will be a filter in the Data Explorer sidebar for inet_dst_addr ILIKE 60.54.101.8.
- Open in Dashboard: Opens, in a new browser window or tab, the dashboard associated with the policy of the alert that generated the alarm (see Policy Dashboard in General Policy Settings), with the dashboard set to correspond to the values of the alarm’s key. For example, if the key’s dimension is Destination:IP (IP_dst) and the value of the key in the alarm is 60.54.101.8 then there will be a filter in the dashboard for inet_dst_addr ILIKE 60.54.101.8.
- Debug Alarm: Displays the alarm in a Debug Graph Dialog.
Automatic Mitigation Actions
The table below shows the action buttons that are available in rows representing automatic mitigations. Both the available actions and the results of those actions vary depending on the current state of the mitigation (see Mitigation Row States).
Note: When you take manual control of an automatic mitigation, the mitigation won’t stop automatically even when the triggering alert is cleared; it will continue until manually stopped or removed.
Current state Label Description |
Button | Resulting state Description |
Button | Resulting state Description |
START_WAIT Start Wait Waiting for user acknowledgement or expiration of a timer. |
Manual Control |
MANUAL_CLEAR Take manual control and cancel the pending mitigation. |
Skip Step |
STARTING Immediately start a mitigation that has been waiting for acknowledgement or expiration of timer (see Mitigation Settings). |
STARTING Starting Start has been requested but hasn’t yet succeeded. |
Manual Control |
MANUAL_STARTING Take manual control and continue starting the mitigation. |
||
STARTING_FAIL Failed to Start Mitigation has failed to start automatically. |
Manual Control |
MANUAL_STARTING_FAIL Take manual control, at which point you can either Retry or Remove the mitigation. |
Retry |
STARTING Retry the mitigation. |
MITIGATING Active Mitigation is currently active. |
Manual Control |
MANUAL_MITIGATING Take manual control of the mitigation, which remains active. |
||
END_GRACE End Grace Mitigation has ended but the grace period has not yet expired (see Common Method Settings). |
Manual Control |
MANUAL_MITIGATING Take manual control of the mitigation, which remains active. |
Skip Step |
END_WAIT Advance the mitigation immediately to the next state. |
END_WAIT End Wait The triggering conditions no longer exist but the mitigation is waiting for user acknowledgement or expiration of timer. |
Manual Control |
MANUAL_MITIGATING Take manual control of the mitigation, which remains active. |
Skip Step |
CLEARING Advance the mitigation immediately to the next state. |
CLEARING Clearing Mitigation is in the process of being ended. |
Manual Control |
MANUAL_CLEARING Take manual control of the mitigation without affecting the stop process. |
||
CLEARING_FAIL Failed to clear Stop has been requested but hasn’t yet succeeded. |
Manual Control |
MANUAL_CLEARING_FAIL Take manual control, at which point you can either Retry or Remove the mitigation. |
Retry |
CLEARING Try again to stop the mitigation. |
ACK_REQ Ack Required Waiting for user acknowledgement. |
Manual Control |
MANUAL_CLEAR Take manual control and leave the mitigation stopped. |
Remove |
ARCHIVED Advance mitigation to the next state, which will remove it from the Active list. |
Note: Archived mitigations may be viewed in the History List.
Manual Mitigation Actions
The table below shows the action buttons that are available in rows representing manual mitigations. Both the available actions and the results of those actions vary depending on the current state of the mitigation (see Mitigation Row States).
Current state Label Description |
Button | Resulting state Description |
Button | Resulting state Description |
MANUAL_STARTING Manual: Starting Mitigation is being activated. |
Stop |
MANUAL_CLEAR Stop the mitigation, at which point you can either Restart or Remove it. |
Remove |
ARCHIVED Stop the mitigation and remove it from the Active list. |
MANUAL_STARTING_FAIL Manual: Failed to start Mitigation was attempted but could not be added or activated |
Retry |
MANUAL_STARTING Try again to start the mitigation, at which point you can either Stop it or Remove it. |
Remove |
ARCHIVED Remove the mitigation from the Active list. |
MANUAL_MITIGATING Manual: Active Mitigation is active. |
Stop |
MANUAL_CLEARING Stop the mitigation, at which point you can either Restart or Remove it. |
Remove |
ARCHIVED Stop the mitigation and remove it from the Active list. |
MANUAL_CLEARING Manual: Clearing Stop has been requested but hasn’t yet succeeded. |
Start |
MANUAL_MITIGATING Restart the mitigation. |
Remove |
ARCHIVED Remove the mitigation from the Active list. |
MANUAL_CLEARING_FAIL Manual: Failed to clear Stop was requested but didn’t succeed. |
Retry |
MANUAL_CLEARING Try again to stop the mitigation. |
Remove |
ARCHIVED Remove the mitigation from the Active list. |
MANUAL_CLEAR Manual: Clear Mitigation is no longer active or waiting. |
Start |
MANUAL_STARTING Restart the mitigation. |
Remove |
ARCHIVED Remove the mitigation from the Active list. |
Note: Archived mitigations may be viewed in the History List.
Alert History
The History page of the portal’s Alerting section is covered in the following topics:
About Alert History
The primary function of the History page is to display the History List, a filterable table listing alarms, mitigations, and matches (up to 1000) for a specified time range (default is last 24 hours). The list displays important information about each alarm, mitigation, and match, including the alert policy that triggered it (see About Alerts and Policies), its current state (see Alert States), and the key whose traffic matched the conditions specified in one of the policy’s thresholds. The page also contains additional indicators, information, and filter controls (see History Page UI).
Note: Unlike the Active page, the History page is not refreshed automatically. Instead the page’s contents are updated in response to the following actions:
- Apply filtering in the Alert History Filter section.
- Click the Reset button at top right; if any filters have been set they will be removed and time range will be reset to default (last 24 hours).
History Page UI
The History page includes the following main UI elements:
- Alert History Filter: Filters the History List by time range, alarm properties, and row type (alarm, mitigation, match). See Alert History Filter.
- Alert Activity graph: A plot of alarms along a timeline covering the specified time range in either one-hour increments (for time ranges of one week or less) or one-day increments (for time ranges longer than one week). At each increment:
- The height of the red line shows the total number of alarms that are active at that time.
- The height of the blue bar, if any, represents the number of new alarms that occurred during that time increment. Hovering the cursor over a blue bar opens a tool tip that shows the number of new and total alarms for that time increment. - History List: A table listing alarms that occurred during the specified time range (see History List).
Note: When the browser window is sized to less than 1200 pixels wide, the UI elements listed above (except for the History List) will occupy the full width of the window.
Alert History Filter
The Alert History Filter allows you to filter the History List based on time range, alarm properties, and row type (alarm, mitigation, or match).
General Filter Controls
The filter section includes the following general controls at the right:
- Apply button: Applies the current settings of the Alert History Filter
- Reset button: Restores defaults for all filter settings.
- Time range: last 24 hours.
- Filter By: none.
- Types: Mitigations and Alarms
Filter Time Range
The following controls filter the list by time range:
- From: Two fields used to define the start of the time range:
- Date field: Pops up a calendar.
- Time field: Drops down a time list. - To: Two fields used to define the end of the time range (see From fields above).
- Current time button: Click the circular arrow icon to set the end time to the current time.
Filter by Properties
The following controls filter the History page by properties of the underlying alerts and alarms:
- Filter By: The alert property (see options listed below) that will be filtered for the value in the Filter Value field.
- Filter Value: The string that the Filter By property will be filtered for.
The following Filter By options are supported:
- Alert Policy: Filters for rows having the alert policy name chosen from the drop-down Filter Value list.
Note: You can also filter by alert policy with one of the following actions:
- Click a policy in the Policy/State column of the Active list (Active page) or History List (History page).
- Click a policy in the Top Policies table. - Key (Exact): Filters for rows whose key is identical to the entered string.
- Key (Partial): Filters for rows whose key contains the entered string.
- Dimension:Key: Filters for rows whose dimension:key is identical to the entered string.
Note: You can also filter for a key with one of the following actions:
- Click a key in the Key/Dimension column of the Active Alerts list (Active page) or History List (History page).
- Click a key in the Top Keys table. - Alarm ID: Filters for rows whose alarm ID is identical to the entered string.
Note: You can also filter for an alarm ID by clicking it in the Mit ID/Alarm ID column of the Active Alerts list (Alarms page) or History List (History page). - Mitigation ID: Filters for alarms and mitigations whose mitigation ID is identical to the entered string.
Note: You can also filter for a mitigation ID by clicking it in the Mit ID/Alarm ID column of the Alarms list (Alarms page) or History List (History page). - Old State (Partial): Filters for rows whose old state contains the entered string.
Note: You can also filter for an old state by clicking it in the Policy/State column (left) on the History page. - New State (Partial): Filters for rows whose new state contains the entered string.
Note: You can also filter for a new state by clicking it in the Policy/State column (right) on the History page. - Any State (Partial): Filters for alarms and mitigations whose old or new state contains the entered string.
Filter by Type
A drop-down Show Alert Types menu includes the following checkboxes, which filter the History page by the type of event:
- Mitigations: Determines whether the History page will include mitigations that occurred in the specified time range.
- Alarms: Determines whether the History page will include alarms (alerts that entered ALARM state; see Alert States) that occurred in the specified time range.
- Matches: Determines whether the History page will include all matches (see Matches in History) that occurred in the specified time range.
- Silenced: Includes only matches generated by alert policies that were in silent mode (see General Policy Settings) at the time of the match.
- Debug: Internal use only.
Note: A match indicates that traffic met conditions defined in an alert policy threshold but does not necessarily indicate that an alarm was triggered.
Matches in History
Unlike the Active page, the History page can be filtered to show matches (conditions that meet alert threshold criteria; see Threshold Conditions) that didn’t cause an alert to enter alarm state. This allows you to graph a history of matches for an alert during a specified time range, even if that alert does not enter ALARM state because there were not enough matches during a defined time period (see Activate When Settings).
History List
The History List is a filterable table of up to 1000 rows in which each row represents one of the following events that has occurred during the specified time range:
- An alarm (see About Alerts and Policies) that was previously active, waiting for acknowledgement (generated by a threshold for which the Acknowledge Required setting is on; see General Threshold Settings), or cleared.
- A mitigation that was previously active, waiting for acknowledgement, or cleared (see Threshold Mitigations).
- A match that met the criteria defined in a threshold of an alert policy (see Threshold Conditions), including alerts in silent mode (see General Policy Settings).
History List Controls
The following controls are found above the History List and are associated with it:
- Filter field: Enter text to filter the History List. The Policy, Key/Dimension, Alarm, and Timestamp columns are checked for a match on the string entered in this field.
- Export CSV button: Exports the list to a CSV file. When you click the button, the CSV will be prepared and then a notification will appear that includes a link to the file.
History List Columns
The History List provides the following columns that display information and actions for the rows in the list:
- Policy: Indicates the following:
- Policy (all alert types): A line giving the name of the policy involved in the event.
- State: (alarms and mitigations only): A second line giving the prior and current states of the policy. For example, the event may be a change in the policy’s state from ALARM to ACK_REQ (see Alert States). - Key/Dimension: Includes the following:
- Silent mode button: The key can be placed in Silent Mode by clicking the speaker icon.
- Dimensions and values: The dimensions (see Dimensions Reference) of the key definition, and the corresponding values for the keys that caused the alert to match (see About Keys). - Value: For alarms and matches (not mitigations), this cell contains the following:
- Value: A line giving the sum total value returned by the key as defined by the alert policy’s query. The top-X ranking of traffic is performed by evaluating the volume, as measured in the primary metric, of the traffic (across the selected devices and filtered by the specified filters) represented by the key.
- Baseline: A line giving the baseline value from which the alarm threshold has deviated. The baseline can be either static or calculated as defined by the alert policy.
Note: Hover over the baseline information to open a tool tip containing a baseline code (see Baseline Codes). - Mit ID/Alarm ID: The system-generated unique ID assigned to the alarm or mitigation when it was triggered. The IDs can be clicked to filter the History page for that ID.
Note: Match rows only include an alarm ID if the match was included in the count of matches that triggered an alarm. - Timestamp (UTC): The time of the event that triggered the alarm, mitigation, or match.
- Actions: See History List Actions.
Baseline Codes
The following table describes the explanation codes that appear for matches in the Baseline Used column of the History List:
Code Comparison direction |
Comparator found? |
Description |
NO_USE_BASELINE N.A. |
N.A. |
The match was triggered by a Static threshold (no baselining). |
CALCULATED_USED_FOR_BASELINE Current to History |
Yes | The match was triggered when the key’s traffic exceeded the baseline. |
TRIGGER_USED_NO_BASELINE Current to History |
No | The match was triggered when no baseline was found. |
DEFAULT_USED_FOR_BASELINE Current to History |
No | The match was triggered when no baseline was found and the key’s traffic exceeded the specified value. |
LOWEST_USED_FOR_BASELINE Current to History |
No | The match was triggered when no baseline was found and the key’s traffic exceeded the lowest historical top-x value. |
NOT_FOUND_EXISTS_NO_BASELINE Current to History |
N.A. | The match was triggered when the key was in the threshold’s current top-x but not in the historical top-x. |
ACT_CURRENT_MISSING_TRIGGER History to Current |
No | The match was triggered when the key was in the threshold’s historical top-x but not in the current top-x. |
ACT_CURRENT_USED_FOUND History to Current |
Yes | The match was triggered when the key’s historical traffic exceeded its current traffic. |
ACT_CURRENT_NOT_FOUND_EXISTS History to Current |
N.A. | The match was triggered when the key was in the threshold’s historical top-x but not in the current top-x. |
Note: The situations in which the above codes are used depend on the Condition Type and the Threshold Configuration Settings of the threshold that triggered the alarm.
History List Actions
The actions that can be taken on an alarm or match in the History List are applied with the action icons shown at the right of each row. There are no actions available for mitigations in the History List.
The following actions are available for alarms and matches:
- Open in Explorer: Opens Data Explorer in a new browser window or tab, with the sidebar set to correspond to the values of the alarm’s key. For example, if the key’s dimension is Destination:IP (IP_dst) and the value of the key in the alarm is 60.54.101.8, then there will be a filter in the Data Explorer sidebar for inet_dst_addr ILIKE 60.54.101.8.
- Open in Dashboard: Opens, in a new browser window or tab, the dashboard associated with the policy of the alert that generated the alarm (see Policy Dashboard in General Policy Settings), with the dashboard set to correspond to the values of the alarm’s key. For example, if the key’s dimension is Destination:IP (IP_dst) and the value of the key in the alarm is 60.54.101.8, then there will be a filter in the dashboard for inet_dst_addr ILIKE 60.54.101.8.
- Debug: Displays the alarm in a Debug Graph Dialog.
- Positional Data: Opens the Positional Details dialog; see Positional Details Dialog.
Positional Details Dialog
The Positional Details dialog is accessed via the Positional Data button in the Actions at the right of each row of the History List. The dialog includes two tables, which provide the following information:
- Current Key List: A list showing the relative position of all keys currently in the top-X (including the featured key, which is the key that triggered the alarm corresponding to the dialog), allowing you to determine the impact of other keys on the position of the key you are looking at (e.g. is another key about to push the current key out of the top-X?).
- Baseline List: A list of the baseline values and relative position for the top-X keys of the policy at the time that the featured key triggered the alert to enter ALARM state.
Additional information is coming soon.
Alert States
The state of alarms and mitigations is covered in the following topics:
Alert State Display
The state of alarms and mitigations is displayed in the following locations:
- Active Alerts List: The current state of each active alert is shown in the State column.
- History List: The most recent change in state for each alert is shown in the second line of each cell of the Policy column.
In both lists the state is represented by a label rather than by the actual value of the backend constant for that state. The meanings of the state constants are covered in the topics below.
Note: In the History List, when you hover over a state label, a pop up will open that displays the actual constant value.
Alarm Row States
Alarm rows can appear in both the Active Alerts List and the History List. The following table lists the possible states represented by alarm rows, as well as the corresponding labels:
Label | State | Description |
Alarm | ALARM | Active alarm: an alarm that is currently in alarm state. |
ACK Required | ACK_REQ | An alarm that is no longer active but still requires user acknowledgement (manual clearing with Clear button) before being cleared (see General Threshold Settings). |
Cleared | CLEAR | An alarm that has been cleared. Note: Cleared alarms are removed from Active Alerts List but appear in History List. |
Notes:
- In the History List, which includes an entry for each time a given alarm or mitigation undergoes a change of state, the label is determined by the new state.
- The History List can also display matches (see About Matches), which have no state.
Mitigation Row States
Mitigation rows, which can appear in both the Active Alerts list and the History list, may represent either an automated mitigation or a manual mitigation, which each have their own set of possible states.
Notes:
- In the History List, which includes an entry for each time a given alarm or mitigation undergoes a change of state, the label is determined by the new state.
- The History List can also display matches (see About Matches), which have no state.
- Cloudflare applies Magic Transit mitigation only when traffic volume exceeds protocol-dependent minimums (100K pps for TCP or UDP; 60K pps for ICMP or GRE). If the platform of a mitigation in the Active Alerts list or History list is Cloudflare MT and the traffic volume of the alert policy threshold that triggered the mitigation is below these minimums then the mitigation state may be indicated as active even when Cloudflare isn’t actually mitigating.
Automatic Mitigation States
The following table lists the possible states, as well as the corresponding labels, for auto-triggered mitigations shown in the rows of the Active Alerts List and the History List:
Label | State | Description |
Start Wait | START_WAIT | Mitigation start is pending: Mitigation has been triggered but requires one of the following before starting (see Apply Mitigation in Threshold Mitigations): - expiration of timer; - user acknowledgement. |
Starting | STARTING | Mitigation is being added or activated on the 3rd-party mitigation platform. |
Failed to start | STARTING_FAIL | Mitigation was attempted but could not be added or activated on the 3rd-party mitigation platform. |
Active | MITIGATING | The mitigation is active. |
End Grace | END_GRACE | The mitigation has ended but the grace period has not yet expired (see Grace period in Common Method Settings). |
End Wait | END_WAIT | Mitigation stop is pending: The conditions that triggered the mitigation no longer exist but one of the following is required before stopping (see Clear Mitigation in Threshold Mitigations): - expiration of timer; - user acknowledgement. |
Clearing | CLEARING | Disabling/removing a mitigation on a remote platform. This is an interim state whose destination state is ACK_REQ. |
Failed to clear | CLEARING_FAIL | Unable to disable/remove a mitigation on the remote platform. |
ACK Required | ACK_REQ | The mitigation is no longer active: - If user acknowledgement is required (see Common Method Settings), the mitigation will wait in this state. - If no acknowledgement is required, the mitigation will proceed to ARCHIVED state. |
Archived | ARCHIVED | The mitigation is no longer active and is not awaiting user acknowledgement. Note: Archived mitigations are removed from the Active Alerts List but appear in the History List. |
Manual Mitigation States
The following table lists the possible states, as well as the corresponding labels, for manually triggered mitigations shown in the rows of the Active Alerts List and the History List:
Label | State | Description |
Manual: Starting | MANUAL_STARTING | Mitigation is being added or activated on the 3rd-party mitigation platform. |
Manual: Failed to start | MANUAL_STARTING_FAIL | Mitigation was attempted but could not be added or activated on the 3rd-party mitigation platform. |
Manual: Active | MANUAL_MITIGATING | The mitigation is active. |
Manual: Clearing | MANUAL_CLEARING | Disabling/removing a mitigation on a remote platform. This is an interim state whose destination state is CLEAR. |
Manual: Failed to clear | MANUAL_CLEARING_FAIL | Unable to disable/remove a mitigation on the remote platform. |
Manual: Clear | MANUAL_CLEAR | The mitigation is no longer active and is not awaiting user acknowledgement. Note: Cleared mitigations are removed from the Active Alerts List but appear in the History List. |