Alerting

Kentik's Alerting page is covered in the following topics:

• About the Alerting Page
• Alerting Page UI
• Alerting Counters
• Alerts List Filters
• Alerts List
• Alert Details Drawer
• Alert Details Page

Notes:
- For a high-level introduction to Kentik's alerting system, see Policy Alerts Overview.
- For a complete list of the portal locations involved in the management and configuration of alerts and mitigations, see Alerting Pages.

Current and historical alerts generated by Kentik's alerting system are listed on the Alerting page, which shows important information such as the time, severity, and status of alerts, as well as the dimensions and metric values involved in the conditions that triggered each alert. The Alerting page also provides access to the Policies Page, where you can manage and configure the policies that generate alerts and determine the system's response to alerts (notifications, mitigations).

The Alerting page provides information about current or recent alerts in your organization. The page includes the following UI elements:

• Mitigations (in the SubNav): A button that opens the Mitigations page (Protect » Mitigations).
• Manage Alert Policies: A button that opens the Policies Page.
• Alerting counters: A set of tiles giving the count of alerts at each severity level, as well as in mitigation and requiring acknowledgement (see Alerting Counters). The counts reflect the current filter settings (see Alerts List Filters).
• Show/Hide Filters (filter icon): A button that toggles the Filters pane between expanded and collapsed.
• Group By: Choose a property (e.g. severity) from the drop-down to group the alerts in the table by the value of that property. The table supports grouping by status, severity, type, policy, or primary dimension.
• Filter field: A field that narrows the alerts shown in the Alerts List. If text is entered, the list will show only alerts that match the text in at least one column. The field will also display any filters applied with the Filters pane.
• Filters Pane: Filters that narrow the alarms listed in the Alerts list (see Alerts List Filters).
• Action controls: Present only when one or more checkboxes are selected in the Alerts list, enabling you to apply an action to all selected alerts:
  - Action buttons: Buttons that apply the actions detailed in Alert Actions.
  - Selection indicator: Indicates how many alerts are currently selected.
• Alerts List: A table listing alerts (see Alerts List).

Displayed across the top of the Alerting page, the alerting counters are tiles that each display an alerting-related count. The counts reflect the current filter settings (see Alerts List Filters).

The counts cover the following categories:

• Overview: A tile containing indicators for the following counts:
  - Active Mitigations: A count of mitigations, initiated either automatically or manually, that are currently in progress. Click in the tile to go to the Mitigations page.
  - Enabled Policies: A count of the Alert Policies currently enabled in your organization.
  - Ack Required: A count of alerts whose status is Ack Required, meaning that the conditions that resulted in an alarm are no longer present, but an acknowledgement is required from a user in your organization before the alert is "cleared”.
  Note: You can clear an alarm manually from the Alerts List by choosing Acknowledge from the Action popup (vertical ellipsis) at the right of the alert’s row or from the alert’s details drawer (see Alert Details Drawer).
• Severity: A set of tiles that each give a count of the active (not yet cleared) alerts that were triggered by alert policy thresholds of a given severity level, ranging from Critical down to Minor (see General Threshold Settings).

The alerts displayed in the Alerts List can be filtered using the controls in the Filters pane on the left. The pane includes the following filters:

• Clear all (appears only when you’ve specified one or more filters): Click to clear all current filters.
• Status: Narrow the list to alerts whose current status matches the checked checkboxes:
  - Alarm: Show all alerts in an alarm state.
  - Ack Required: Show alerts that are no longer in alarm state but must be manually acknowledged (per alert policy) before being cleared.
  - Cleared: Show alerts that have been cleared.
• Severity: Narrow the list to alerts whose severity (Critical, Severe, Major, Warning, or Minor) matches the checked checkboxes. The severity is determined by the alert policy threshold that triggered the alert.
• Type: Narrows the list to alerts with the type matching the checked checkboxes (DDoS, Query-based, or Custom; see Policy Types).
• Time Range: A set of radio buttons that determines the time range within which the listed alerts occurred: last hour, last three hours, last day, last week, last 30 days (default), or all time.
• Alert ID: A field with which you can narrow the list to the alert whose ID matches the entered number.
• Policy Names: A drop-down from which you can select the alert policies whose alerts will be included in the Alerts list. You can narrow the available policies by typing in field. Repeat to add more than one policy.
• Show Tenant Alerts: A switch that determines whether or not My Kentik Portal tenant alerts are displayed in the Alerts list.
• Tenants (appears only when Show Tenant Alerts is enabled): A drop-down from which you can select the tenants whose alerts display in the Alerts list.
• Dimension Search: A field with which you can narrow the list to alerts in which a dimension in the key definition matches the entered text.
• Exact Match: A switch that determines whether the string entered in the Dimension Search field is matched strictly or loosely.

The Alerts List on the Alerting page is a filtered table (see Alerts List Filters) providing information about alerts triggered by your organization's alert policies. Each row in the table represents an individual alert. Click on a row to open the Alert Details Drawer, which displays additional details about the alert.

The table includes the following columns (click on a column heading to sort the list, ascending or descending):

• Select All (in heading row): A checkbox for toggling the selection state of all alerts in the list:
  - If either no checkboxes in the list itself are checked or only some are checked then clicking this checkbox will select all alerts.
  - If all checkboxes in the list are checked, clicking this checkbox will deselect all alerts.
• Select (in alert rows): Check the box to select this alert. The alert will be included in any action applied with the Action controls (see Alert Actions).
• Status: Shows the current status of the alert (see Alert Status).
• Severity: The severity level (Critical, Severe, Major, Warning, or Minor) of the alert policy threshold that triggered the alert.
• Type: The type of alert policy: DDoS, Query-based, or Custom (see Policy Types).
• Policy: Indicates the policy name as defined in the alert policy.
• Policy ID: Indicates the policy ID as defined in the alert policy.
• Tenant (if Show Tenant Alerts is enabled): If your system includes tenants (see Tenants in Tenants and Packages) and you’ve enabled this option in the Alerts List Filters, those alarms will also display in the Alerts list.
• Dimensions: The dimensions (see Dimensions Reference) of the key definition, and their values for the keys that caused the alert to enter alarm state (see About Keys). For example, if the key definition is Dest IP, Device (two dimensions) and the key itself (a unique combination of values for the two key dimensions) is 1.10.1.174:s414_ida9_nektie_com then the Dimensions column would show this:
  Dest IP:1.10.1.174
  Device:s414_ida9_nektie_com
  Note: If the dimension value is rendered in blue you can click it to go to the corresponding details page in Core (see Core Detail Pages).
• Metric: The volume of traffic matching the key (see About Keys). The top-X ranking of traffic is performed by evaluating the volume of this matching traffic as measured in the primary metric (see Data Funneling).
• Mitigation ID: The Kentik-generated unique ID for the mitigation.
• Alert ID: The system-generated unique ID assigned to the alert when it was triggered. Click the ID to display the alert and its data on the Alert Details Page (opens in new tab).
• Duration: The length between the alert start and alert end time.
• Time: The time (UTC) of the following:
  - The start time of the event that triggered the alarm state.
  - If the event is waiting for an acknowledgement or has been cleared, it shows the end time of the event that triggered the alarm state. Otherwise, the alert is indicated as “Currently Active.”
• Actions (vertical ellipsis): A popup with actions that may be available for this alert (see Alert Actions).

Note: Alert policies that are in error state don't generate alerts. If you aren’t seeing alerts when you think you should, check the Policy Status on the Alert Policies page (see General Policy Settings).

Actions can be applied to alerts in a couple different ways:

• Checkboxes: When one or more Select checkboxes are checked in the Alerts list, the list is shifted down to reveal the Action controls (see Alerting Page UI), which include buttons that enable you to apply an action to all selected alerts.
• Actions menu: The popup menu from the vertical ellipsis at the right of a given alert's row in the Alerts list enables you to apply an action to that alert.

Available alert actions vary depending on the current status of the alert. The following actions may be available for a given alert:

• View Details (Actions menu only):Open the Alert Details Page for that alert in new tab.
• Silence Alert: Hide alerts matching that alert’s key for seven days (see Silent Mode).
• Acknowledge (present only for Ack Required alerts): Acknowledge the alert, changing the alert’s status from Ack Required to Cleared.
• Open Dashboard (Actions menu only): Opens (in new tab) the dashboard specified with the Policy Dashboard setting of the alert's policy (see General Policy Settings).

The following table lists the statuses shown for alerts in the Alerts list, as well as a description for each status:

Note: You can narrow the Alerts list based on status using the Status filters (see Alerts List Filters).

The details drawer for a given alert slides out from the right side of the page when the row for that alert is clicked in the Alerts List, showing the following additional information:

• Policy: The name of the alert policy by which the alert was triggered (see Alert Policies).
• Chart: A representation of the traffic that triggered the alert, providing context (baseline and thresholds) around why the alert triggered.
• Severity: The alert’s severity level (Critical, Severe, Major, Warning, or Minor). Severity is determined by the alert policy threshold that triggered the alert.
• Alert Start Time: The start of the period evaluated for the alert.
• Event End Time: The end of the period evaluated for the alert, minus the counter reset time set on the policy’s Thresholds tab.
• Alert End Time: If the alert is currently active, then "Currently Active," otherwise the end of the period evaluated for the alert.
• Status: The state of the alert: Alarm, Acknowledgement (Ack) Required, or Cleared.
• Alert ID: The Kentik-assigned unique ID for the alert. Click the link to view the Alert Details Page.
• Trigger: The alert policy threshold conditions that were matched, triggering the alert (see Threshold Conditions).
• Stats: Displays the contents of the Dimensions and Metric columns in this alert's row of the Alerts list, showing the key dimension (target) whose values matched the threshold conditions, as well as the values themselves.
• Mitigation Details: Information about the mitigation automatically triggered by this alert, if any is defined by the alert policy.
• Take Action: A set of buttons for additional steps that you can take related to the alert. One or more of the following may appear:
  - View Details: Takes you to the Alert Details Page for this alert.
  - Acknowledge (appears only for Ack Required alerts): Acknowledge the alert, changing the alert’s status from Ack Required to Cleared.
  - Silence Alert: Hide alerts matching that alert’s key for seven days (see Silent Mode).
  - View Dashboard: Takes you to the dashboard specified with the Policy Dashboard setting of the alert's policy (see General Policy Settings).
  - Configure Policy: Takes you to the Edit Policy page for the alert policy (see Policy Settings Pages).

The details pages for individual alerts are covered in the following topics:

• Alert Details Page Access
• Alert Details Main Display
• Alert Details Page Sidebar

The Details page for an individual alert can be reached in the following ways:

• Click the alert’s ID in the Alert ID column of the Alerts List.
• Choose View Details from the Actions popup (vertical ellipsis) at the right of the alert’s row on the Alerts list.
• Click the View Details button at the bottom of the alert's Alert Details Drawer.
• Click the AlertID link in the Alert Details Drawer.
• In DDoS Defense, choose View Details from the Actions popup at the right of the alert’s row in the Attacks Within the Last 24 Hours table.

Note: Depending on your browser settings, details pages open in a new tab or window.

The main display area of the details page is divided into a set of panes, detailed below, that are intended to provide actionable details about the individual alert.

The top-most pane of the page contains the following information:

• Alert name: The name of this alert, as defined in its policy.
• Description: A brief summary (if one was provided when the alert policy was created) of the specific situation about which this alert is intended to notify users.

This pane shows some or all of the following elements (depending on factors including alert type and the dimensions in the key definition):

• Dimensions: The names and values of the key dimension(s) — for example, a device and a destination IP address — whose value triggered the alert.
• Statistics: Statistics that illustrate the situation that generated the alert. Depending on the configuration of the alert policy, these may include information such as baseline flows/s (if the policy uses baselining), actual flows/s, and actual Kpackets/s.
  Note: Each statistic included as described above will be accompanied by a comparison of the actual value to the triggering value defined in the alert policy. If, for example, a condition in the policy threshold is "flows/s value is greater than 200% of baseline" then the flows/s statistic will state not only the actual flow/s but also the percent by which the flows/s exceed the baseline flows/s.

The Data pane shows charts and tables related to the condition that caused the alert. The structure of the Data pane depends on the type of alert:

• Custom and query-based alerts: The pane includes a time series chart illustrating the traffic (in flow/s and packets/s) that caused the alert.
• DDoS alerts: The pane includes six tabs, each displaying charts and tables showing a different aspect of the traffic covered by the alert (see DDoS Data Tabs).

For all types of alerts, the View in Data Explorer link below each chart takes you to Data Explorer (in the same tab), where the Query sidebar will be set to correspond to the values of the alert’s key. The pane also includes, at the bottom of the page, a Why Was This Triggered section (on the Insights tab for DDoS alerts), which details the conditions defined in the policy threshold and the actual values for each of those conditions.

The following tabs are included in the Data pane on a details page for a DDoS alert:

• Alert: A time series chart showing the volume (in bits/s) of the traffic that triggered the alert.
• Ingress Interfaces: A time series chart showing traffic volume (in bits/s) on the Interfaces where Kentik detected the attack, and a table giving additional detail including the device and site in which the interfaces are located.
• Traffic Patterns: The information in this tab helps to characterize the nature of the conversations that are driving the traffic volumes causing the alert, including how many sources it has, what services are involved, and whether it's a conversation or unidirectional.
• Source Countries: A time series chart showing the unique source IPs of attack traffic, and a table ranking the countries from which traffic from those IPs originated.
• Source Services: A time series chart showing the services that originated the traffic that caused the alert, and a table ranking those services.
• Packet Size Distribution: A time series chart showing the packets of various sizes in the traffic that triggered the alert, and a table ranking the sizes by volume of traffic.

Note: The time range for the above charts begins 30 minutes before the alert's start time and ends with the current time (if the alert is still in Alarm state) or its end time.

The right-side sidebar provides additional details about the alert.

• Severity: The alert’s severity level (Critical, Severe, Major, Warning, or Minor). Severity is determined by the alert policy threshold that triggered the alert.
• Alert Start Time: The start of the period evaluated for the alert.
• Event End Time: The end of the period evaluated for the alert, minus the counter reset time set on the policy’s Thresholds tab.
• Alert End Time: The end of the period evaluated for the alert.
• Status: The state of the alert: Alarm, Acknowledgement (Ack) Required, or Cleared.
• Alert ID: The Kentik-assigned unique ID for the alert.
• Policy: The name of the policy by which the alert was triggered (see Alert Policies). The name is a link that takes you to the Edit Policy page for that alert policy (see Policy Settings Pages).
• Frequency: A summary of the frequency with which this alert has recently occurred. The Show all Occurrences link takes you to the back to the Alerting page, displaying only that policy’s alerts.
• Dimensions: A set of vertical bar charts, one for each dimension in the key definition, showing how often the same key value was involved in other alerts over the last seven days.
• Take Action: Additional steps that you can take related to the alert:
  - View in Data Explorer: A button that takes you to Data Explorer (in a new tab), where the Query sidebar will be set to correspond to the values of the alert’s key. For example, if the dimension in the key definition is Dest IP/CIDR and the value of the key in the alert is 208.76.14.223 then a filter in the Filtering pane will be set to Destination IP/CIDR equals 208.76.14.223.
  - Open in Dashboard: Opens (in new tab) the dashboard specified with the Policy Dashboard setting of the alert's policy (see General Policy Settings).
  - Acknowledge (present only when the alert status is Ack Required): Acknowledge the alert, changing the status from Ack Required to Cleared.