Alerting

Alerting is covered in the following topics:

Notes:
- For a high-level introduction to Kentik's alerting system, see Policy Alerts Overview.
- For a complete list of the portal locations involved in the management and configuration of alerts and mitigations, see Alerting Pages.

The Alerting page lists recent alerts generated by alert policies.
 
top

Alerting Page

The Alerting page is covered in the following topics:

 
top  |  section

About the Alerting Page

The Alerting page lists current and historical alerts generated by Kentik's alerting system, including important information such as the time, severity, and state of alerts, as well as the dimensions and metric values involved in the conditions that triggered each alert. This page also provides access to the Policies Page, where you can manage and configure the policies that generate alerts and determine the system's response to alerts (e.g. notifications and mitigations).

 
top  |  section

Alerting Page UI

The Alerting page provides information about current or recent alerts in your organization. The page includes the following UI elements:

  • Favorite: A star to the left of the page title that allows you to add this page to the Favorites tab of the portal search (see Portal Search Tabs).
  • Manage Alert Policies: A button that takes you to the Policies Page.
  • Actions: A button that pops up the Page-wide Actions Menu.
  • Alerting breakdowns: A set of cards that each contain a bar chart showing the breakdown of alerts in a given category such as state, severity, type, and policy (see Alerting Breakdowns). The breakdowns cover the time range selected in the Filters tab (see Alerts List Filters). Hover over any bar in a graph to open a popup with additional information about its alerts.
  • Show/Hide Filters (filter icon): A button that toggles the Filters pane between expanded and collapsed.
  • Group By: A drop-down from which you can choose a property, e.g. alert state, ack state, severity, type, policy, or primary dimension. Alerts that share the same value for that property will be grouped in the table.
  • Search: A field that shows lozenges for the filters currently set in the Filters pane and also enables you to enter text. The Alerts list will be filtered to show only rows that contain the entered text. Click the X at the right of the field to clear entered text, and the X in a lozenge to clear the corresponding filter.
  • Filters Pane: A set of controls that enable you to filter the Alerts list (see Alerts List Filters).
  • Alert controls: A set of controls that appear at the top left of the Alerts list and are present only when one or more checkboxes are selected in the Alerts list, enabling you to apply an action to all selected alerts:
    - Action buttons: Buttons that apply the actions detailed in Alert Controls.
    - Selection indicator: Indicates how many alerts are currently selected.
  • Alerts list: A table listing your organization’s alerts (see Alerts List).
 
top  |  section

Page-wide Actions Menu

The page-wide Actions menu for the Alerting page pops up from the Actions button in the top right corner. This menu includes the following options:

  • Export: Prepares one of the following reports. A notification appears at the top of your screen when the report is ready to download.
    - Visual report (PDF): As described in Portal Export Options.
    - Data table (CSV): Opens the Export Alerting Data Dialog.
  • Subscribe: Opens the Subscribe dialog enabling you to create a subscription for your organization’s alerts. The form in the Subscription dialog is the same as on the Subscription tab of the Share dialog (covered in Subscription Tab UI), except for the Share, Selected View, and Lookback fields, which are not included.
  • Unsubscribe: Opens the Unsubscribe dialog. To unsubscribe from a subscription, open the Subscription drop-down, select the one you’d like to unsubscribe from, and click Unsubscribe.
    Note: This option only appears if you are currently subscribed to one or more alert subscriptions.
 
top  |  section

Export Alerting Data Dialog

The Export Alerting Data dialog appears when you select Export » Data Table from the Page-wide Actions Menu on the Alerting page. The Export Alerting Data dialog has the following UI elements:

  • Columns to Export: A drop-down selector from which to choose the columns to export to the.csv file (currently visible columns or all columns).
  • Data To Export: A drop-down selector from which to choose the rows to export to the.csv file (currently loaded rows or the first 200, 500, 1000, or 2000 rows).
  • Export: A button that closes the dialog and initiates the alerting data export.

A notification appears at the top of your screen when the report is ready to download.

 
top

Alerting Breakdowns

The Alerting breakdowns are cards across the top of the page that each display a bar chart representing a different breakdown of alerts over the currently selected Time Range (see Filter Categories). Each bar in the charts responds to two cursor actions:

  • Hovering on any bar opens a popup that states the kind and count of the alerts represented by that bar.
  • Clicking on any bar adds a corresponding filter lozenge to the Search field (see Alerting Page UI), causing the Alerts list to show only alerts matching the clicked state, severity, type, or policy.

Notes:
- A filter applied from the breakdowns will replace any existing breakdown-applied filter, but leave any filters applied from the Filters pane.
- Applying a filter from a breakdown bar may change the settings in the Filters pane. Those changes will not revert when the breakdown-applied filter is removed (the filter's lozenge is closed in the Search field).

Bar charts show the breakdown of different kinds of alerts in various categories.

A breakdown chart is provided for each of the following categories:

  • State: The bars in the chart each represent alerts with one of the following states:
    - Active: The conditions that resulted in an alert are ongoing (red indicator).
    - Cleared: The conditions that resulted in an alert are no longer present or the alert has been manually cleared (green indicator).
  • Severity: The bars in the chart each represent the alerts that were triggered by alert policy thresholds of a given severity level (see General Threshold Settings): Critical (dark purple), Severe (plum), Major (red), Warning (orange), or Minor (yellow).
  • Type: The bars in the chart each represent the different types of alerts: Protect, Cloud, Traffic, or NMS.
  • Policies: The bars in the chart each represent an individual policy that triggered during the selected time range, arranged in descending order from the left based on the number of times each policy triggered. The popup (on hover) gives the name, type, ID, and alert count for the policy.
 
top

Alerts List Filters

The Alerts List can be filtered with the controls in the Filters pane, which is covered in the following topics:

 
top  |  section

Alert Filters Pane

The Filters pane at the left of the Alerts list includes a set of filters that you can apply to narrow the listed alerts in accordance with the Filter Application Rules. This pane includes the following general controls:

  • Reset to default (appears only when you’ve specified one or more filters): A button that resets the Filters pane to its default settings.
  • Collapse: A button that collapses the Filters pane. To expand the pane, click the Show/Hide Filters button (see Alerting Page UI).

In addition to the above, the pane includes the following types of controls that apply/remove filters in various Filter Categories to narrow the alerts shown in the Alerts list:

  • Selection field: Click in the field to pop up a filterable list from which you can add filter criteria by clicking either on an individual item or on Select All, which will appear at the right of the field and selects all items matching the entered text. Repeat to add more items. The selected criteria will appear as individual lozenges in the field. To remove a criteria, click the X at the right of its lozenge.
  • Checkboxes: Check the box for one or more filter criteria that you'd like to apply in a given category. To remove, click the X at the right of its lozenge or uncheck the box in the Filters pane.
  • Text fields: Enter a string to filter the list to alerts that contain the string in one of their columns.

Note: All filters from a given category will be combined into a single lozenge in the Search field, where you can remove all of a category's filters at once by clicking the X in the lozenge.

 
top  |  section

Filter Categories

Filter criteria for the Alerting list fall into the following categories:

  • Time Range: A control set that filters the listed alerts to the specified time range (see Time Range Filter).
  • Type (checkboxes): Include alerts based on their type (NMS, Traffic, Cloud, or Protect; see Policy Types).
  • Alert State (checkboxes): Include alerts based on their current Alert State (Active or Cleared).
  • Ack State (checkboxes): Include alerts based on their Ack State (Ack Required, Acked, Not Acked, or Acked by Me).
  • Severity (checkboxes): Include alerts based on their severity (Critical, Severe, Major, Warning, or Minor). The severity is determined by the alert policy threshold that triggered the alert.
  • Alert ID (text field): Show only the alert matching a Kentik-assigned ID number.
    Note: A filter is not applied unless and until the field contains a full, exact match.
  • Sites (selection field): Include only alerts involving the selected sites.
  • Policies (selection field): Include only alerts from the selected policies.
  • Show Tenant Alerts: A switch that, when enabled:
    - Allows My Kentik Portal tenant alerts to be displayed in the Alerts list.
    - Displays the Tenants selection field.
    Note: To show tenant alerts in the Alerts list, click the Customize button to display the Customize Columns Popup and select Tenant.
  • Tenants (selection field; present only when Show Tenant Alerts is enabled): Include only alerts with the selected tenants.
  • Dimension Value (text field): Include alerts in which the value of a dimension in the key definition matches the entered text.
 
top  |  section

Filter Application Rules

Kentik applies the following rules to filter categories and criteria:

  • Criteria are ORed (match any) within categories and ANDed (match all) between categories.
  • An alert is displayed only if it matches at least one of the selected criteria in all of the categories with criteria selected.
  • When no criteria are selected for a category, alerts are not evaluated for matches in that category.
 
top  |  section

Time Range Filter

The Time Range control filters the alerts in the Alerts list to those that were active within a specified time range (UTC). Options include the last hour, last 8 hours, last 24 hours (default), last 7 days, last 14 days, last 30 days, last 90 days, or a custom time range (see Custom Time Range Settings). After selecting a time range, click Apply to apply the filter or Cancel to keep the previously selected time range.

Note: The values in the top (start time) and bottom (end time) fields can be changed before the time range is applied.

 
top

Alerts List

The Alerts list on the Alerting page is covered in the following topics:

Individual alerts are selected with the checkbox at the left of their row.
 
top  |  section

About the Alerts List

The Alerts list is a filterable table (see Alerts List Filters) providing information about alerts triggered by your organization's alert policies. Each row in the table represents an individual alert. Click on a row to open the Alert Details Drawer, which displays additional details about the alert.

 
top  |  section

Alerts List Columns

The columns displayed in the Alerts list are set with the Customize Columns Popup, which opens from the Customize button at the right of the table's heading row. The table can include the following columns (click on a column heading to sort the list, ascending or descending):

  • Select All (in heading row): A checkbox for toggling the selection state of all alerts in the list:
    - If either no checkboxes in the list itself are checked or only some are checked then clicking this checkbox will select all listed alerts.
    - If all checkboxes in the list are checked, clicking this checkbox will deselect all alerts.
  • Select (in alert rows): A checkbox for selecting an individual alert. When you click the box for one or more alerts, the Alert Controls appear at the top left of the Alerts list.
  • Alert State: The current state of the alert (see Alert State).
  • Severity: The severity level (Critical, Severe, Major, Warning, or Minor) of the alert policy threshold that triggered the alert.
  • Type: The type of alert policy: Protect, Traffic, Cloud, or NMS (see Policy Types).
  • Policy: The policy name as defined in the alert policy.
  • Policy ID: The system-generated unique ID for the policy.
  • Tenant: If your system includes tenants (see Tenants in Tenants and Packages) and you’ve enabled Show Tenant Alerts in the Alerts List Filters, your Alerts list will include your tenant’s alarms.
  • Dimensions: The dimensions (see Dimensions Reference) of the key definition, and their values for the keys that caused the alert to enter alarm state (see About Keys). For example, if the key definition is Dest IP, Device (two dimensions) and the key itself (a unique combination of values for the two key dimensions) is 1.10.1.174:s414_ida9_nektie_com then the Dimensions column would show this:
    Dest IP:1.10.1.174
    Device:s414_ida9_nektie_com
    Note: If a dimension value is rendered in blue you can click it to go to its Details page in Core (see Core Details Pages).
  • Metric: The volume of traffic matching the key (see About Keys). The top-X ranking of traffic is performed by evaluating the volume of this matching traffic as measured in the primary metric (see Data Funneling).
  • Mitigation ID: The system-generated unique ID for the mitigation. Click the link to view the Mitigations page filtered for this ID (in a new tab).
  • Alert ID: The system-generated unique ID assigned to the alert when it was triggered. Click the ID to display the alert and its data on the Alert Details Page (opens in new tab).
  • Time: The time (UTC) of the following:
    - The start time of the event that triggered the alarm state.
    - The time that the alert was cleared (if applicable).
    - The duration of the event.
  • Silence State: Indicates whether the alert’s notifications are currently paused ("Silenced" plus the expiration date of the pause) or not ("Not Silenced").
  • Ack State: The state of the alert’s acknowledgement (Ack Required, etc.). See Ack State.
    Note: If the state is "Acked," the column also displays the time/date the alert was acknowledged and by which user.
  • Action menu: A vertical ellipsis at the right of each alert's row, which pops up a menu from which you can apply an action to that alert (see Alert-specific Actions).

Note: Alert policies don't generate alerts when in an error state. If you aren’t seeing alerts when you think you should, check the Policy Status on the Alert Policies page (see General Policy Settings).

Alert Controls

The following controls appear above the Alerts list when one or more alerts is selected (individually or with Select All):

  • Acknowledge Alert: A button that allows you to acknowledge that you’ve seen the alert (see Acknowledging Alerts).
  • Clear Alert: A button that allows you to manually change the Alert State from Active to Cleared. You can do this regardless of the alert’s Ack State or if the conditions that triggered the alarm are still present.

Note: Either button may be greyed out if the selected alerts have already been acknowledged and/or cleared.

 
top  |  section

Customize Columns Popup

The Customize Columns popup enables you to choose up to 11 columns to include in the Alerts list. To access the dialog, click the Customize button on the top right of the list.

The popup includes the following UI elements:

  • Choose columns: Each checkbox to the left of a column name determines if that column is displayed (checked) or hidden (unchecked) in the Alerts List.
  • Order columns: Handles to the left of the checkboxes allow you to click and drag the columns into the desired order.

Once you’ve chosen the columns to include, click outside the popup to close it and update the table columns.

 
top  |  section

Alert-specific Actions

Actions can be applied to an individual alert from the following locations:

While available actions vary depending on the current state of the alert or your location in the portal, the following actions may be available for a given alert:

  • View Details: Opens the Alert Details Page for that alert in a new tab.
  • Ack Alert: Opens the Acknowledge Alert Dialog which allows you to acknowledge that you have seen the alert.
  • Remove Ack: Change the ack state back to Not Acked or Ack Required (as determined by the alert’s policy).
  • Clear Alert (Take Action section only): Allows you to manually change the Alert State from Active to Cleared. You can do this regardless of the alert’s Ack State or if the conditions that triggered the alarm are still present.
  • Silence Notifications: Pause the alert’s notifications for seven days.
  • Unsilence Notifications: Lift the pause on alert notifications.
  • Suppress Alert: Clear this alert and prevent the policy from alerting on the same key for seven days (see About Alert Suppressions).
  • Add Comment (Action menu only): Add a comment to the alert (see Alert Comments).
    Note: A Comments field appears above the Take Action section in all other areas.
  • Open Dashboard: Go to the dashboard specified with the Policy Dashboard setting (see General Policy Settings).
  • Edit Policy (Take Action section only): Go to the Edit Policy page for the alert policy (see Policy Settings Pages).
  • Debug Alert: Open the Alert Debug Dialog for this alert.
 
top  |  section

Alert State

The two possible states for alerts in the Kentik system are:

  • Active: The conditions that triggered the alert are still present; displays as a red lozenge.
  • Cleared: An alert that has been cleared manually or the conditions that triggered the alert are no longer present; displays as a green lozenge.

Note: You can narrow the Alerts list based on state using the Alert State filters (see Alerts List Filters).

 
top  |  section

Ack State

Any alert in the system can be acknowledged ("acked") by users with access to either the Alerting page or the DDoS Defense page (for Protect alerts). The following ack states are available for an alert:

  • Ack Required: This alert requires acknowledgement and has not yet been acknowledged.
  • Acked: This alert has been acknowledged.
  • Not Acked: This alert has not been acknowledged.
  • Acked by Me (Filters pane only): Provides a way to filter the Alerts list for alerts you’ve acknowledged.

An alert’s ack state is available in the following places in the portal:

  • Ack State column of the:
    - Alerts list (Alerting page)
    - Attacks Active Within the Last 24 Hours table (DDoS Defense page)
  • Alert Overview section of the:
    - Alert Details Drawer on the Alerting page.
    - Alert Details Page Sidebar on the details page for an individual alert.
 
top  |  section

Alert Comments

You can communicate information about an alert to other users by adding a comment when you acknowledge the alert in the Acknowledge Alert Dialog. Alert comment(s) are shown in the following areas of the portal:

  • In the Alert Details Drawer and the Alert Details Page Sidebar, comments may appear in either of the following places:
    - Ack statement: The comment will appear directly under the traffic chart, along with the full user name of the person who acked the alert.
    - Comments pane: Comments are displayed as cards in chronological order in the Comments Pane. You can add another comment in the Comment field below any existing comments.
  • For auto-acknowledged alerts, in addition to the above, comments are shown in the Comments column of the Auto-ack List on the Auto-acknowledgements page.

Note: For step-by-step procedures, see Add an Alert Comment, Edit an Alert Comment, and Remove an Alert Comment.

 
top

Acknowledge Alert Dialog

The Acknowledge Alert dialog is covered in the following topics:

 
top  |  section

Ack Alert Access

The Acknowledge Alert dialog may be accessed from a variety of portal locations:

 
top  |  section

Ack Alert Dialog UI

The Acknowledge Alert dialog has the following UI elements:

  • Cancel: A button - X at top right or Cancel at bottom - that closes the dialog without acknowledging the alert. All elements will be restored to their values at the time the dialog was opened.
  • Acknowledgement info: A statement identifying you, by your full user name, as the person that acknowledged the alert (see Acknowledging Alerts).
  • Comment: A field in which to input a comment for the alert (see Alert Comments).
  • Acknowledge additional occurrences (auto-ack): A checkbox that enables auto-acknowledgement for this alert. When checked, the Duration control set is shown.
  • Silence notifications for this alert: A checkbox that enables you to silence notifications for this alert for the duration specified (see Silence Alert Notifications). When checked, the Duration control set is shown.
    Note: This option is not active when the alert has already been silenced.
  • Duration: A control set used to specify a duration for auto-acknowledgement and/or for silencing notifications. The method of specifying the duration is chosen by radio button:
    - For: Specify a duration forward from the present using a field to enter an integer and a drop-down to choose units (hours or days). If the units are hours, the integer must be between 1 and 24. If the units are days, the integer must be at least 1, and up to 7 for Member-level users or 365 for Admin-level users.
    - Until: Specify the date-time at which the duration will expire by clicking the field, which will pop up a calendar. The date-time must be at least 1 hour from the present, and not more than seven days ahead for Member-level users or 365 days for admin-level users.
  • Confirm: Acknowledges the alert, saves any changes (comments, auto-acks, or silenced notifications) and exits the dialog.

Note: You cannot set separate time durations for the auto-ack and silence features. The time selected using the duration controls apply to both.

 
top  |  section

Acknowledging Alerts

Acknowledging an alert indicates to other users that you are aware of the alert. When you acknowledge (ack) an alert, your Full Name (as provided in the General Settings of your User Profile) will appear along with the ack state (Acked) in the following locations of the portal:

A user can acknowledge an alert of any type (Protect, Cloud, Traffic, or NMS), regardless of whether Acknowledgement Required is enabled in the policy threshold that triggered the alert. Each alert can be acknowledged by one user at a time, but if that acknowledgement is removed (see Remove an Alert Ack) a different user can then acknowledge the same alert. For more information about how to acknowledge an alert, see Acknowledge an Alert.

 
top  |  section

Auto-acknowledgement

Auto-acknowledgement enables you to set a duration for which all instances of a given alert (triggered by a given policy threshold and based on the same key) will be acknowledged automatically. The minimum duration is one hour; the maximum is seven days for member-level users or one year for admin-level users. The duration is set in the Acknowledge Alert dialog when you Auto-acknowledge an Alert, and can be managed on the Auto-acknowledgements page.

 
top  |  section

Silence Notifications

If you no longer need notifications for a given alert you can silence them for seven days by clicking Silence Notifications in one of the following locations:

You can also silence an alert’s notifications for a custom duration when you acknowledge the alert (see Custom Silence Alert).

 
top

Alert Debug Dialog

The Alert Debug dialog is covered in the following topics:

 
top  |  section

About the Debug Dialog

The Alert Debug dialog provides context that helps you better understand why an alert was triggered by a threshold (see About Alert Thresholds) in a given alert policy. The debug feature, which is available for all user levels, alert types, and alert states, is accessed via the Debug Alert button (see Alert-specific Actions).

 
top  |  section

Debug Dialog UI

The Debug Alert dialog includes the following UI elements:

  • Title bar: Displayed as “Debug [policy type] Alert,” where policy type is Protect, Traffic, Cloud, or NMS.
  • Close: An X in the upper right corner that closes the dialog.
  • Policy: The name of the policy that triggered the alert (top left).
  • Alert ID: The unique, system-generated ID for the alert (top right).
  • Alert triggers: The dimension(s) that triggered the alert (also found in the Triggering Threshold section of the Alert Details Drawer).
  • Lookback: A drop-down that adjusts the time range, back from the present, covered by the chart. Options range from 30 minutes to 15 days. The currently selected time range is displayed in the control.
    Note: If the alert was triggered before the start of the selected time range, the start of the range will be adjusted to include the start of the alert.
  • Graph: A dot chart covering the selected Lookback range, with plots as listed in Debug Graph.
Dots representing alert-related events are plotted against the Lookback time range.
 
top  |  section

Debug Graph

The Debug graph is a dot plot for various types of data about the alert. Hover over an individual dot to open a popup with a timestamp and additional information, and also to dim all dots of a different type (e.g. baseline dots will dim when hovering over a match).

The chart includes the following elements:

  • Time: The horizontal axis shows the time range set with the Lookback control (see Debug Dialog UI).
  • Values: The measurement and units of the vertical axis are determined by the dimensions and metrics chosen in the policy.
  • Triggering event: The point in time at which the alert was triggered, shown as a vertical red line.
  • Matches: Purple dots that each represent a match between the evaluated traffic and the conditions defined in any of the policy’s thresholds (see About Matches).
  • Baseline: Brown dots that represent baseline values if baselining is on for this policy (see Policy Baseline Settings).
  • Baseline Fallback: Green dots that represent fallback baseline values if baselining is on for this policy, but no baseline exists (see Threshold Configuration).
  • Static Threshold: A horizontal red dashed line that represents the policy’s static threshold (see Threshold Conditions).
  • Policy Min Traffic: A horizontal purple line that represents the minimum traffic threshold (see Building Your Dataset). Keys whose traffic is below this amount won't be plotted in the chart.
  • Legend: A set of dot and label combinations showing the colors used for the different types of data plotted on the chart. The legend can be used to control how the various data types are displayed in the chart:
    - Solo: Hover over a combination dim all other data types.
    - Dim: Click a combination to dim plots of that type.
 
top

Alert Details Drawer

The Details drawer for a given alert slides out from the right of the Alerting page when you click anywhere in the Alerts List row for that alert. The drawer is covered in the following topics:

 
top  |  section

Alert Details Drawer UI

The information shown in the drawer varies depending on the type of alert and its available information:

  • Policy: The name of the alert policy by which the alert was triggered (see Alert Policies).
  • View in Metrics Explorer (NMS alerts only): A link at the top of the drawer that takes you to Metrics Explorer, where the settings of the Query sidebar will correspond to the values set in the alert’s policy.
  • Lookback (NMS alerts only): A drop-down at the top of the drawer that sets the time range of the visualization. The options include Alert +/- 1 hour (default), Alert +/- 24 hours, Last hour, Last day, Last 7 days, Last 14 days, and Last 30 days.
    Note: For the Alert +/- display options, the graph will display from 1 or 24 hours before the alert was triggered until the current time.
  • Visualization: If data is available, most alerts feature a visualization, appropriate to the alert type, near the top of the alert details drawer:
    - Threshold alerts: A representation of the traffic that triggered the alert providing context (baseline and thresholds) around why the alert triggered.
    - NMS Up/Down alerts: An Up/Down Visualization.
  • Ack statement: If the alert is acknowledged, displays who acked the alert and at what time. If a comment was added in the Acknowledge Alert Dialog when the alert was acked, that comment will display here in addition to in the Comments Pane.
  • Alert Overview: Displays key information about the alert as described in Alert Overview.
  • Target (not present for NMS alerts): The contents of the Dimensions and Metric columns in this alert's row of the Alerts list (plus any secondary metrics), showing the key dimension (target) whose values matched the threshold conditions, as well as the values themselves.
  • Triggering Event: The alert policy conditions that were matched to trigger the alert (see Triggering Event).
  • Triggered Threshold: A summary of the policy’s Triggered Threshold including the threshold’s dimensions, primary and secondary metrics, conditions, and when it is set to activate and clear.
  • Mitigation Details: Information about the mitigation(s) automatically triggered by this alert (if any are defined by the alert policy) including the mitigation’s ID, the date and time when it started, its platform, and its method.
  • Comments: Provides a field to add a comment and displays any Alert Comments already added (see Comments Pane).
  • Take Action: A set of buttons for additional steps that you can take related to the alert (see Alert-specific Actions).
  • Warning: If the policy has been changed since the alert started, you’ll see a warning in the sidebar in the section(s) that may be affected.
 
top  |  section

Alert Overview

The Alert Overview section of the Details drawer provides the following information:

  • ID: The system-generated unique ID for the alert. Click the link to view the Alert Details Page in a new tab.
  • Severity: The alert’s severity level (Critical, Severe, Major, Warning, or Minor). Severity is determined by the alert policy threshold that triggered the alert.
  • Alert State: The state of the alert (Active or Cleared). See Alert State.
  • Ack State: The acknowledgement (ack) state of the alert (Ack Required, Acked, or Not Acked). See Ack State.
  • Start Time: The start of the period evaluated for the alert.
  • Event End Time: The end of the period evaluated for the alert (minus the counter reset time set on the policy’s Thresholds tab for threshold alerts).
  • Clear Time: The end of the period evaluated for the alert or "Currently Active" if the alert is ongoing.
 
top  |  section

Triggering Event

The information contained within the Triggering Event section of an alert depends on the type of alert shown.

NMS Triggering Event

An NMS alert’s Triggering Event section provides the following information:

Threshold Triggering Event

The Triggering Event section for a threshold alert displays the triggered policy’s Threshold Conditions and the value of the traffic that triggered the alarm (displayed as a table).

 
top  |  section

Triggered Threshold

The Triggered Threshold section of the Details drawer provides the following information (when applicable) about the threshold of the policy that triggered the alert:

  • Dimensions: The dimensions used to evaluate traffic for the threshold (see Data Funneling).
  • Primary and Secondary Metrics: The metrics used to evaluate traffic for the threshold Data Funneling).
  • Conditions: What constitutes a match for the threshold (see Threshold Conditions) to be met.
  • Activates: The number of times the threshold conditions must match within the specified amount of time (see Threshold Frequency).
  • Clears: The amount of time after which the counter will reset if the conditions haven’t been met (see Threshold Frequency).

Note: The Activates and Clears data is not available for NMS Up/Down policies.

 
top  |  section

Mitigation Details

The Mitigation Details section provides the following information (when applicable) about the mitigation triggered by the policy’s threshold (see Mitigation Overview):

  • ID: The system-generated unique ID for the mitigation. Click the link to view the Mitigations List filtered for this ID (in the same tab).
  • Started: The date and time the mitigation was initiated.
  • Platform: The platform on which the mitigation was run (see Platforms and Methods).
  • Method: The individual configuration that ran on the mitigation platform (see Platforms and Methods).
 
top  |  section

Comments Pane

The Comments pane is present in the Alert Details Drawer and on the Alert Details Page Sidebar. This section, which allows you to add and manage comments for an individual alert, includes the following UI elements:

  • Comment count: Displayed to the right of the heading, the number of comments present in the pane appears in parentheses.
  • Comment card: Every comment added to the alert displays as its own card. Each card contains the following elements:
    - Ack statement: If the comment was added using the Acknowledge Alert Dialog when the alert was acked, the top of the Comment card displays the user who acked it and when.
    - Edit (present only for the original commenter): A button that allows an existing comment to be modified. Click Save to update the comment or Cancel to revert the comment to what it was before you clicked Edit.
    - Remove (present only for the original commenter): A button that opens a confirmation dialog enabling you to remove the selected comment from the alert.
    - Comment: The comment as it was entered by the user.
  • Add Comment: A field where you can add a comment to the alert (see Add an Alert Comment).
 
top  |  section

Take Action Pane

The Take Action pane of the Details sidebar contains the set of buttons described in Alert-specific Actions.

 
top

Alert Details Page

The details pages for individual threshold alerts are covered in the following topics:

Note: The Details page for NMS alerts is slightly different; see NMS Alert Details Page.

The Details page for a non-protect alert.

 
top  |  section

Alert Details Page Access

The Details page for an individual threshold alert can be reached from the following locations:

  • From the alert’s row of the Alerts List, either:
    - Click the alert’s ID in the Alert ID column, or
    - Click the vertical ellipsis at the right and choose View Alert Details from the Action popup.
  • From an Alert Details Drawer (opened from theAttack Table on the DDoS Defense page or the Alerts List on the Alerting page) either:
    - Click the ID (under Alert Overview), or
    - Click the View Details button under Take Action (at the bottom of the drawer).
  • From the alert’s row in the Attacks Active Within the Last 24 Hours table on the DDoS Defense page (only if alert type is Protect):
    - Click the alert’s ID in the Alert ID column, or
    - Click the vertical ellipsis at the right and choose View Details from the Action popup.

Note: Depending on your browser settings, Details pages may open in a new tab or window.

 
top  |  section

Alert Details Subnav

The subnav of an alert’s Details page includes the following elements:

  • Breadcrumbs: An indicator of your current location within the Kentik portal. Click Alerting to go back to the Alerting page.
  • Share: A button that opens the Share dialog (see Sharing via the Share Dialog).
  • Actions: A drop-down from which you can choose Export to download a visual report (PDF) covering the page’s visualizations and tables. A notification appears when the PDF is ready to download.
 
top  |  section

Alert Details Main Display

The main display area of the Details page for an alert from a threshold policy is divided into a set of panes, detailed below, that provide actionable details about the individual alert.

Title Pane

The top-most pane of the page contains the following information:

  • Alert name: The name of this alert, as defined in its policy.
  • Description: A brief summary (if provided in the alert policy) of the situation this alert policy is intended to address.

Threshold Statistics Pane

Depending on the alert type and the dimensions in the key definition, this pane shows some or all of the following elements:

  • Alert State: The state of the alert (Cleared or Active) and how long ago that state was reached.
  • Dimensions: The names and values of the key dimension(s) — for example, a device and a destination IP address — whose value triggered the alert.
  • Statistics: Statistics that illustrate the situation that generated the alert. Depending on the configuration of the alert policy, these may include information such as baseline flows/s (if the policy uses baselining), actual flows/s, and actual Kpackets/s.
    Note: Each statistic included as described above will be accompanied by a comparison of the actual value to the triggering value defined in the alert policy. For example, if a condition in the policy threshold is "flows/s value is greater than 200% of baseline" then the flows/s statistic will state not only the actual flow/s but also the percent by which the flows/s exceed the baseline flows/s.

Threshold Data Pane

The Data pane shows charts and tables related to the condition that caused the alert. The structure of the Data pane depends on the type of alert:

  • Cloud and traffic alerts: The pane includes a time series chart illustrating the traffic (shown in metrics selected in the policy) that caused the alert.
  • Protect alerts: The pane includes six tabs, each displaying charts and tables showing a different aspect of the traffic covered by the alert (see Protect Data Tabs).

For all types of alerts, the following elements are present:

  • View in Data Explorer: A link below each chart that takes you to Data Explorer, where the Query sidebar will be set to correspond to the values of the alert’s key.
  • Why Was This Triggered: A description of the conditions defined in the policy threshold and the actual values for each of those conditions.
    Note: For Protect alerts this appears on the Insights tab.
  • History: A table, present only when alerts with matching dimensions have been triggered recently by the same policy or are currently active, that details those alerts. Click the link in the ID column to go directly to that alert’s Details page or click Ack Alert to open the Acknowledge Alert Dialog.

Protect Data Tabs

The Data pane on the Details page of an alert whose type is Protect (DDoS) will be structured as a set of tabs that each show a different visualization.

The following tabs are included in the Data pane for a Protect alert:

  • Alert: A time series chart showing the volume of the traffic that triggered the alert based on the volume metrics defined in the policy. Below the chart are two sections that detail why the alert was triggered (which specific conditions were met) and any state changes to the alert.
  • Ingress Interfaces: A time series chart showing traffic volume (in bits/s) on the interfaces where Kentik detected the attack, and a table giving additional detail including the device and site in which the interfaces are located.
  • Traffic Patterns: A time series chart and table help to characterize the nature of the conversations that are driving the traffic volumes causing the alert, including how many sources it has, what services are involved, and whether it's a conversation or unidirectional.
  • Source Countries: A time series chart showing the unique source IPs of attack traffic, and a table ranking the countries from which traffic from those IPs originated.
  • Source Services: A time series chart showing the services that originated the traffic that caused the alert, and a table ranking those services.
  • Packet Size Distribution: A bar chart showing the packets of various sizes in the traffic that triggered the alert, and a table ranking the sizes by volume of traffic.

Note: The time range for the above charts begins 30 minutes before the alert's start time and ends with the current time (if the alert is still active) or its end time.

 
top  |  section

Alert Details Page Sidebar

The right-side sidebar of an alert’s Details page provides additional details about the alert.

  • Ack statement (only if the alert has been acknowledged): Displays who acked the alert and at what time. If a comment was added in the Acknowledge Alert Dialog when the alert was acked, that comment will display both here and in the Comments Pane.
  • Alert Overview: A set of fields providing key information about the alert (see Details Page Alert Overview).
  • Mitigation Details: Information about the mitigation automatically triggered by this alert, if any is defined by the alert policy (see Mitigation Details).
  • Policy: Provides information about the alert policy:
    - Edit Policy: A link that takes you to the Edit Policy page for the alert (see Policy Settings Pages).
    - Name: The name of the policy that triggered the alert (see Alert Policies).
    - Last Edited: How long ago the policy was edited.
    - Alerts for Policy: The number of alerts generated from this policy during the last seven days.
  • Comments: A field to add a comment and a list of any existing Alert Comments for this alert (see Comments Pane).
  • Take Action: A set of buttons for additional steps that you can take related to the alert (see Alert-specific Actions).
  • Warning: If the policy has been changed since the alert started, you’ll see a warning in the sidebar in the section(s) that may be affected.

Notes:
- The details in the sidebar may vary between Protect alerts and non-Protect alerts.
- For the Details sidebar for NMS alerts, see NMS Alert Details Sidebar.

Details Page Alert Overview

The Alert Overview section of the Details page sidebar provides the following information and functionality:

  • Copy Alert ID: Copies the alert’s unique ID to your system clipboard.
  • ID: The system-generated ID for the alert.
  • Severity: The alert’s severity level (Critical, Severe, Major, Warning, or Minor). Severity is determined by the alert policy threshold that triggered the alert.
  • Alert State: The state of the alert: Active (red) or Cleared (green). See Alert State.
  • Ack State: The acknowledgement (ack) state of the alert (Ack Required, Acked, or Not Acked). See Ack State.
  • Start Time: The start of the period evaluated for the alert.
  • Event End Time: The end of the period evaluated for the alert, minus the counter reset time set on the policy’s Thresholds tab (only present when the alert is cleared).
  • Clear Time: The end of the period evaluated for the alert (displays Currently Active if the alert is ongoing).
 
top

NMS Alert Details Page

The Details page for an NMS alert is accessed as described in Alert Details Page Access. While an NMS Details page has roughly the same layout as a typical Alert Details Page, there are a few differences, which are covered in the following topics:

 
top  |  section

NMS Alert Details Display

The main display area of the details page for an NMS-based alert is divided into a set of panes, as described in Alert Details Main Display. The topics below cover the content of those panes for an NMS alert.

NMS Statistics Pane

The fields across the top of the page will provide NMS-specific statistics, including the measurement, metric, and dimensions specified on the Dataset tab of the policy that generated the alert.

NMS Data Pane

The Data pane shows charts and tables related to the condition that caused the NMS-based alert. The structure of the Data pane depends on the type of alert:

  • NMS Up/Down: The pane includes an up/down chart that details the status of the alert over time (see Up/Down Visualization).
  • NMS Threshold: The pane includes a line chart detailing the alert’s activity over the time determined by the Lookback drop-down (top right of the chart).

The View in Metrics Explorer link above the chart takes you to Metrics Explorer, where the settings of the Query sidebar will correspond to the values set in the alert’s policy. The pane also includes, at the bottom of the page, a History table, which details alerts that have recently triggered or are currently active.

Up/Down Visualization

This time-based chart type is composed of a series of bars on a horizontal time axis that each represent one segment of the current time range. The color of each bar shows the state of the policy’s data sources (devices, interfaces, or BGP neighbors) at a particular point in time: green = up, red = down, and gray = unknown. Hover over any bar in the chart to open a popup giving the timestamp and the state during that segment.

The Up/Down visualizations have Lookback drop-downs that determines the timeframe covered by the visualizations. Options include:

  • NMS Details drawer: Last hour, Last day, Last 7 days, Last 14 days, and Last 30 days.
  • NMS Details page: Alert +/- 1 hour, Alert +/- 24 hours, Last hour, Last day, Last 7 days, Last 14 days, and Last 30 days.

In the NMS Details drawer, if an event occurred during a given segment, then its bar will be slightly elevated and one of the following icons will appear above the bar:

  • Bell (in a red marker): An alert was triggered.
  • Checkmark (in a green marker): The alert was cleared (according to the policy’s settings).
 
top  |  section

NMS Alert Details Sidebar

The right-side sidebar on the Details page for an NMS alert provides slightly different details than the sidebar for non-NMS alerts. The sidebar includes the following fields and controls:

  • Alert Overview: Information about this individual alert (see Details Page Alert Overview).
  • Device: The device that is being alerted on (if applicable). This section may contain various details about the device including site, model, location, IP address, manufacturer, and serial number.
    - View Details: A link that takes you to the NMS Device Details Page for that device.
  • Policy: Provides information about the alert policy:
    - Edit Policy: A link that takes you to the Edit Policy page for the alert (see Policy Settings Pages).
    - Name: The name of the policy that triggered the alert (see Alert Policies).
    - Last Edited: How long ago the policy was edited.
    - Alerts for Policy: The number of alerts generated from this policy in the last seven days.
  • Take Action: A set of buttons for additional steps that you can take related to the alert (see Alert-specific Actions).
  • Comments: A section that provides a field to add a comment and displays any Alert Comments already added (see Comments Pane).
  • Warning: If the policy has been changed since the alert started, you’ll see a warning in the sidebar in the pane(s) that may be affected.
© 2014- Kentik
In this article:
×