Alert Policies

Management of the alert policies used by Kentik's alerting system is covered in the following topics:

• Policies Page
• Adding a Policy
• Policy Settings
• Manage Alert Policies

Notes:
- For general information about policy-based alerting, see Policy Alerts Overview.
- For information on policy templates, see Policy Templates.
- For information on active or historical alerts, see Alerting.
- For information on alert-related notifications, see Notifications.
- For information on mitigation for alerts, see Mitigations.

Alert policies are managed from the Policies page, which is covered in the following topics:

• About the Policies Page
• Policies Page UI
• Policies List
• Policy Filters
• Policy Details Drawer
• Policy Debug Dialog

Note: For information on configuring a policy, see Policy Settings.

The Policies page is used to manage alert policies for Kentik’s alerting system (see Alerts and Policies). Accessed via the Manage Policies button at the upper right of the Alerting page, this page displays the Policies List, which is a table listing the alert policies that are currently available to your organization. Policies can be added, enabled/disabled, cloned, deleted, and edited using this list.

Note: While admin-level users can see and use all of the controls listed throughout this article, member-level users can only:
- See and filter the policies displayed in the Policies list.
- Open a policy’s Policy Details Drawer.
- Enable or disable policies.

The Policies page is made up of the following UI elements:

• Policy Templates: A button (at the right of the SubNav) that opens the Policy Templates page, where you can manage templates, including adding a policy from a template (see Add Policy from Template).
• Policies statistics: Just below the page title, these fields indicate the number of policies created and enabled in your organization and give the maximum allowable number for each.
• Add Policy: A button (upper right) with two parts:
  - Add Policy: Opens the Add Policy Dialog, where you choose whether to open an Up/Down policy or a Threshold policy, after which you are taken to an Add Policy page.
  - Open menu (down arrow at right): Open a drop-down from which you can choose Add Policy from Template, which opens an Add Policy from Template dialog that enables you to create a policy from a policy template.
• Filters (funnel icon): A button that toggles the Filters pane between expanded and collapsed.
• Search field: A field that you can use to narrow the policies shown in the Policies List. If text is entered, the list will show only policies that match the text in the ID, Name, or Description column. The field will also display any filters already applied with the Filters pane.
• Filters pane: A set of Policy Filters that you can use to narrow the alert policies shown in the Policies List.
• Policies list: A table listing the policies in your organization and giving information about each (see Policies List).
• Policy Details drawer: Click on any policy in the Policies list to open a drawer from the right of the page that contains a summary of that policy’s settings (see Policy Details Drawer).

The Policies list is a table that shows all of the alert policies that are currently available in your organization. The table includes the following columns of information and actions for each policy:

• Select All (in heading row): A checkbox for toggling the selection state of all policies in the list:
  - If either no checkboxes in the list itself are checked or only some are checked then clicking this checkbox will select all policies.
  - If all checkboxes in the list are checked, clicking this checkbox will deselect all policies.
• Selected: A checkbox in the leftmost column that enables you to select the policy. When a policy is selected, the Selected Policy Controls appear above the Policies list.
• Status: The status of the policy, either Disabled (gray) or Enabled (green).
• Type: The type of the policy (DDoS, Query-based, Custom, or NMS; see Policy Types).
• ID: The system-generated unique ID assigned when the policy was created.
• Name: The user-specified name of the policy. The policy’s user-specified description, if entered, is presented below the name.
• Data Sources: The network entities whose traffic is covered by the policy, which are specified on the Dataset tab in Policy Settings.
• Metrics: The units (e.g. bits/s, packets/s, flows/s, etc.) by which this alert measures incoming flow data (see Data Funneling). The primary metric is listed first, followed by secondary metrics (if any).
• Dimensions: The dimensions defined in the policy, which combine to make a key definition that will determine how traffic is subdivided for evaluation (see About Keys). Dimensions, which are based on fields in the KDE main table, are described in Dimensions Reference.
• Used by Tenant: The My Kentik Portal tenants using this policy (“None” if not used by a tenant).
• Actions: A vertical ellipses that pops up the Policy Action Menu.

When one or more policies are selected, a series of controls appears above the Policies list:

• Add/Edit Labels: A link to the settings page for Labels, where you can create, edit, or remove the labels that are available to apply to the selected policies.
• Clear Labels: Clear the labels that are applied to all currently selected policies.
• Apply Labels: A drop-down list of labels from which you can choose one or more labels to apply to all currently selected policies. Click labels in the list to select or de-select. Click outside of the drop-down to close it.
• Enable: Enables the selected policies if they are currently disabled.
• Disable: Disables the selected policies if they are currently enabled.
• Delete: Brings up a Delete Policies dialog in which you can confirm (or cancel) removal of the selected policies from your organization’s collection of alert policies.
• Add Notification Channels: Opens the Add Notification Channels dialog, where you assign one or more existing or new notification channels to the selected policies.
• Policies selected: The number of policies currently selected is displayed to the right of the controls.

Notes: If you’ve selected both enabled and disabled policies, both the Enable and Disable buttons will appear:
- Enable will enable any disabled policies and keep any enabled policies as enabled.
- Disable will disable any enabled policies and keep any disabled policies as disabled.

The Add Notification Channels dialog allows you to assign one or more notification channels to the selected policies. The dialog has the following UI elements:

• Close: Click the X in the upper right corner to close the dialog. No notifications channels will be added to the policies.
• Notification Channels: A field that shows lozenges for each of the notification channels currently assigned to this policy. A lozenge to the left of each channel name indicates the channel's type.
  - To remove a channel from this policy, click the X in the channel’s lozenge.
  - To add a channel, click in the field to drop down a filterable list of channels in your organization. Click on a channel to add it to the field.
  Note: The drop-down list does not include channels that are already assigned to this policy. It does include disabled channels (see Enable or Disable Notification), but they can't be selected.
• Add New Channel: Opens the Add Notification Channel dialog (see Notification Settings) where you can create a new notification channel for your organization and automatically add it to the currently selected policies.
• Test Notification Channels: Send a test notification to the recipients in all currently assigned channels. Present only when the Notification Channels field is populated.
• Cancel: Exit the dialog without changing the notification channels assigned to the selected policies.
• Continue: Save the current notification channel assignments and exit the dialog.

The Action menu for each policy can be accessed via the vertical ellipsis in the following locations:

• At the right of each policy's row in the Policies List;
• At the right of the title in the Policy Details Drawer.

The menu includes the following options:

• Edit Policy: Go to the Edit Policy page where you can edit the Policy Settings.
• Enable/Disable Policy: Enable a disabled policy or disable an enabled policy.
• Clone Policy: Go to the Clone Policy page, where the settings of a new policy will be populated with the values of the policy that you cloned (see Clone a Policy).
• Delete: Open a confirming dialog that allows you to delete the policy from your organization’s collection of alert policies.
• Debug: Opens the Policy Debug Dialog which displays tables containing the top keys for current traffic and top keys for baseline data.

The policies displayed in the Policies list can be filtered using the controls in the Filters pane on the left. For filter categories with a set of checkboxes (e.g. Type):

• If any boxes are checked, only policies that match those boxes will be included.
• If no boxes are checked, there will be no matching on that category.

The pane includes the following elements:

• Close: Click the < in the upper right corner to close the Filters pane. Click the Filters button (funnel icon) above to show it again.
• Clear all (appears only when you’ve specified one or more filters): Click to clear all current filters.
• Type: The types of policies to include in the list (DDoS, Query-based, Custom, or NMS; see Policy Types).
  Note: To filter the list for Up/Down policies, set the Type to NMS.
• Status: The policy statuses to include in the list (Enabled and/or Disabled).
• Policy ID: A field with which you can filter the list to one specific policy by entering a full policy ID (no partial matching).

The Policy Details drawer is a read-only display of policy settings, including details that may not be displayed directly in the Policies list. Click anywhere on the row of a policy to open its details drawer.

The drawer contains the following elements:

• ID number: The system-generated unique ID assigned when the policy was created.
• Name: The user-specified name of the policy.
• Actions: A button (vertical ellipses icon) that pops up the Action menu (see Policy Action Menu).
• Status: A lozenge indicating the policy’s status, either enabled (green) or disabled (gray).
• Description: A description of the policy if any was provided by the policy’s creator.
• Policy Dashboard (not present for NMS policies): The dashboard that is set as the destination of the Open Dashboard button for any alert listed in the Alerting list (see Policy Dashboard under General Policy Settings). A lozenge labeled Preset will be present if the dashboard is a Kentik-provided preset.
• Dataset: An expandable/collapsible pane containing a summary of the current settings of the Dataset tab of the policy (see Policy Dataset Settings).
• Thresholds: An expandable/collapsible pane containing a summary of the current settings of the Thresholds tab of the policy (see Policy Threshold Settings). The number in brackets indicates the number of thresholds in use for the policy.
• Baseline: An expandable/collapsible pane containing a summary of the current settings of the Baseline tab of the policy (see Policy Baseline Settings).

The Debug dialog provides context that can be used to better understand why a threshold (see About Alert Thresholds) in a given alert policy triggered an alarm. The Debug list (table) presents information about a given policy from two main perspectives:

• Current Traffic: The table shows information related to the top-X keys (see About Keys) for the policy in current traffic, where:
  - Current traffic is the set of flow records (and associated traffic data) included in the most recently completed aggregate. The duration of each aggregate is determined by the policy’s Evaluation Frequency setting (see the Building Your Dataset pane of the Dataset tab of the Policy Settings Pages for threshold policies.
  - X is defined by the Maximum Number of Keys setting in the same pane (the actual number of keys may be less depending on the Minimum Traffic Threshold setting).
• Baseline Data: The table shows information related to the top-X keys in the baseline data of the same policy (see About Historical Baselines).

Note: The Debug dialog is only available for enabled policies.

The Debug dialog is made up of the following UI elements:

• Close: Click the X in the upper right corner to close the Debug dialog.
• Top Keys: From the drop-down, choose which of the following is displayed in the Debug list:
  - Current Traffic: Information about the top-X keys in the alert policy’s current traffic.
• - Baseline Data: Information about the top-X keys in the alert policy’s baseline traffic.
• Debug list: A table that displays information related to top-X keys (current or baseline) in the selected policy. Each view has its own unique sets of columns. See Debug Current Columns and Debug Baseline Columns.

Note: When insufficient traffic is available for debugging, a message will display in place of the Debug list:
- Current traffic: “No matches found” may mean that there is no traffic at all, or there is no traffic for the policy to evaluate for matches.
- Baseline data: “No baseline data available” may mean that there is no traffic or that the baseline is still building.

The Current Traffic view of the Debug list includes the following columns:

• Position (#): The ordinal position of the key in the top-X current keys for this policy.
• Keys: The policy’s key as defined in the policy’s Dimensions setting (Data Funneling pane of the Dataset tab of the Add Alert Policy or Edit Alert Policy dialog).
• Entries: The total number of flows with this key in the current traffic data aggregate.
• Primary Metric: The value of the policy’s Primary Metric as specified in the Data Funneling pane, which determines the position of the key in the top-X.
• Metric 2: The value of the policy’s first Secondary Metric (if any) as specified in the Data Funneling pane.
• Metric 3: The value of the policy’s second Secondary Metric (if any) as specified in the Data Funneling pane.
• First seen: The timestamp of the start time of the current traffic data aggregate.
  Note: The timestamp may be UTC or local depending on the Time Zone selected in your User Profile (see User-specific Defaults).

The Baseline Data view of the Debug list includes the following columns for each row:

• Position (#): The ordinal position of the key in the top-X baseline keys for this policy.
• Keys: The policy’s key as defined in the policy’s Dimensions setting (Data Funneling pane of the Dataset tab of the Add Alert Policy or Edit Alert Policy dialog).
• Count: The total number of flows with this key in the baseline data.
• Value: A percentile value for the policy’s Primary Metric as specified in the Data Funneling pane, which determines the position of the key in the top-X. The percentile that is used (98th, 95th, 25th, etc.) is set in the Building the Baseline pane of the Baseline tab (Rollup aggregation).
• Min Value: The lowest one-hour rollup aggregation value occurring for the primary metric over the “baseline window” set in the Building the Baseline pane.
• P50 Value: The 50th percentile value of the policy’s Primary Metric over the “baseline window.”
• Max Value: The highest one-hour rollup aggregation value occurring for the primary metric over the “baseline window.”
• Chosen Time: The timestamp of the first flow record in the baseline data that matches the key.

The addition of a policy to your organization’s collection of alert policies is covered in the following topics:

• Policy Creation Methods
• Add Policy Dialog
• Add a Query-based Policy
• Clone a Policy
• Use a Policy Template

Note: To add a policy, your RBAC roles must have permissions equivalent to those of an Administrator or Super Administrator (see What is Kentik RBAC?).

You can add an alert policy with any of the following methods:

• Create a policy from scratch via the Add Policy button, which takes you to the Add Policy Dialog, from which you can add either an Up/Down policy (see Up/Down Policy Settings) or a Threshold policy (see Threshold Policy Settings).
• Create a policy from Data Explorer using the Create Alert Policy action (see Add a Query-based Policy).
• Duplicate an existing policy using the Clone Policy button in the Action menu at the right of each row in the Policies list (see Clone a Policy).
• Add a policy based on a policy template (see Use a Policy Template).

The settings that you’ll make when adding a policy are covered in Policy Settings. When you’ve finished specifying the settings, click Save. The new policy will be listed in the Policies list.

Note: The first time you access a policy settings page you’ll see a dialog offering a tour of the page.

The Add Policy dialog lets you choose between creating an Up/Down policy or a Threshold policy.

The dialog, which opens from the Add Policy button on the Policies Page, includes the following UI elements:

• Up/Down: A card that you click to choose an Up/Down policy (default), which alerts you when devices, interfaces, or BGP neighbors are in an unhealthy state. For information about Up/Down policies and their settings, see Up/Down Policy Settings.
• Threshold: A card that you click to choose a threshold policy, which alerts you when selected metrics pass specified thresholds. For information about Threshold policies and their settings, see Threshold Policy Settings.
• Cancel: Buttons — a Cancel button at lower right and an X in the upper right corner — that close the dialog without selecting a type of policy to create.
• Continue: Close the dialog and continue to the Add Up/Down Policy page (if you selected Up/Down) or the Add Policy page (if you selected Threshold).

A query-based policy is a time-limited policy built from contextual Data Explorer queries. You can create a policy directly from Data Explorer using all of the criteria (dimensions, metrics, filters) you’re using to view your data.

To create a query-based policy:

1. In Data Explorer, create a query with the necessary data sources, dimensions, metrics, and filters.
2. On the SubNav, click the Actions button to display a drop-down menu.
3. Select Create Alert Policy. The criteria used in the query (dimensions, metrics, etc.) automatically populates a new policy on the Add Query-Based Policy page.
4. On the General tab, provide a name for the policy.
5. On the Thresholds tab, click Edit Conditions and add at least one condition (see Threshold Conditions).
6. Check the indicators in the Policy Summary Pane to see if you have any missing fields or errors in the policy.
7. Click Save. You will be taken back to the Data Explorer page from which you created the policy. The policy will now appear in the Policies list on the Policies page.

Notes:
- On the General tab (see General Policy Settings), if you set the Policy Expires time to Never or you disable Policy Status, the type of the policy changes from Query-based to Custom.
- If you choose to edit a Query-based policy after it appears in the Policies list, its expiration is removed and the policy type changes to Custom.

Cloning allows you to duplicate a policy so that it can be modified without altering the original. To clone a policy:

1. In the Policies list on the Policies page, find the policy that you’d like to clone.
2. From the Actions menu at the right of the policy’s row, choose Clone Policy, which takes you to the Clone Policy page, where the settings of a new policy will be populated with the values of the policy that you cloned.
3. Change the name of the new policy so that it’s distinct from the original policy you cloned.
4. Change any other settings on the tabs of the Clone Policy page to tailor them to your requirements for the new policy.

Note: Once a new policy has been created by cloning it will be added to the Policies list.

Templates are preconfigured policies provided by Kentik as the starting point for creating a policy for your organization. Kentik provides templates for many common alerting needs. Templates are not intended to be used as-is without being customized to your network and traffic situation.

There are two routes to adding a policy from a template:

• Policies page: On the Policies page, click the drop-down portion of the Add Policy button and choose Add Policy from Template to open the Add Policy from Template dialog. Choose a template from the drop-down, then click Continue.
• Policy Templates page: On the Policies page, click the Policy Templates button to go to the Policy Templates page, then click the Clone icon at the right of a row in Templates list.

Both of the above methods lead you to an Add Policy page whose settings (see Policy Settings) are already filled in with the default settings of the template. Tailor the settings to your specific needs and save the new policy.

The Add Policy from Template dialog includes the following settings and controls:

• Cancel buttons: To cancel the action and close the dialog, click the X in the upper right corner or the Cancel button at lower left.
• Drop-down menu: Display the menu to see a list of existing templates that you can use as the basis for your new policy.
• Go to Policy Templates: A link that takes you to the Policy Templates page (see Policy Templates).
• Template description: A description of the template and what it is designed to detect.
• Continue: A button that takes you to the Add Policy page, whose tabs will be populated with the settings of the template you selected from the drop-down menu. You can tailor the new policy to the specific needs of your organization by adjusting these settings.
  Note: The Continue button will be greyed out until you select a policy template from the drop-down menu.

The pages and dialogs used to specify policy settings are covered in the following topics:

• Policy Settings Pages
• Policy Settings Page UI

Note: For specifics about policy setting UI:
- For Up/Down policies, see Up/Down Policy Settings.
- For Threshold policies, see Threshold Policy Settings.

Alert policy settings are accessed on the following policy settings pages; the specific page used depends on the situation (add, edit, clone, etc.):

• Add Policy page: Used to specify the settings of a new custom policy. Accessed from the following locations:
  - From the Policies page via the Add Policy button at upper right.
  - From the Add Policy from Template dialog, accessed as described in Use a Policy Template.
• Edit Policy page: Used to edit an existing policy. Accessed from the Policies page via Edit Policy on the Policy Action Menu.
• Clone Policy page: Used to clone an existing policy (see Clone a Policy). Accessed from the Policies page via Clone Policy on the Policy Action Menu.
• Add Query-Based Policy page: Used to create a policy from a query in Data Explorer. Accessed from Data Explorer via Create Alert Policy on the Actions menu (in the SubNav at the top of the page). The settings (dimensions, metrics, etc.) in Data Explorer's Query sidebar will be used to populate the settings of the policy (see Add a Query-based Policy).

The policy settings pages share the same layout and the following common UI elements:

• Help (? icon): A button in the SubNav that opens this KB article in a new tab.
• Cancel: A button that reverts all settings to their values at the time the page was opened and returns you to the Policies page.
• Create or Save: A button that saves changes to policy settings and returns you to the Policies page. The button is active only when the settings on all tabs are complete and error-free (see the indicators in the Policy Summary Pane).
• Settings tabs (not present in Up/Down policies): The tabs on which the policy settings are made (see Threshold Settings Tabs).
• Summary pane (not present in Up/Down policies): The Policy Summary Pane includes an expandable/collapsible card for each tab that indicates its status and gives a high-level overview of its settings.

Note: The Cancel and Create or Save buttons are located at the upper right except for in an Up/Down policy, where they are at the bottom of the page.

The following procedures cover basic operations related to managing alert policies in the portal:

• Add an Up/Down Policy
• Add a Threshold Policy
• Add an NMS Threshold Policy
• Edit a Policy
• Disable or Enable a Policy
• Remove a Policy
• Debug a Policy

Note: See also Add a Query-based Policy, Clone a Policy, and Use a Policy Template.

To create an Up/Down alert policy:

1. Choose Settings from the portal's main menu.
2. On the Settings page, click Alert Policies (under Alerting).
3. On the resulting Policies page, click the Add Policy button at the upper right.
4. In the Add Policy Dialog, select Up/Down and click Continue.
5. On the resulting Add Policy page, specify the settings covered in Up/Down Settings Page.
6. Click the Save button at the bottom of the page to save the policy and return to the Policies page, where the new policy will now be included in the Policies List.

As discussed in Policy Creation Methods, Kentik provides several different approaches to creating an alert policy. The following is a basic outline for adding a threshold policy using the Add Policy page:

1. Choose Settings from the portal's main menu.
2. On the Settings page, click Alert Policies (under Alerting).
3. On the resulting Policies page, click the Add Policy button at the upper right.
4. On the General tab of the Add Policy page, specify the settings covered in General Policy Settings.
5. On the Dataset tab, specify the settings covered in Policy Dataset Settings.
6. On the Thresholds tab, specify the settings covered in Policy Threshold Settings.
7. On the Baseline tab, specify the settings covered in Policy Baseline Settings.
8. Click the Save button at the upper right to save the policy and return to the Policies page, where the new policy will now be included in the Policies List.

To create an NMS threshold policy:

1. Choose Settings from the portal's main menu.
2. On the Settings page, click Alert Policies (under Alerting).
3. On the resulting Policies page, click the Add Policy button at the upper right.
4. In the Add Policy Dialog, select Threshold and click Continue.
5. On the General tab of the Add Policy page
   - Select NMS from the Policy Type selector.
   - Set the other settings covered in General Policy Settings.
6. On the Dataset tab
   - Set the settings covered in Dataset NMS Settings.
   - Set the other settings covered in Policy Dataset Settings.
7. On the Thresholds tab:
   - Set the settings covered in Thresholds NMS Settings.
   - Set the other settings covered in Policy Threshold Settings.
8. On the Baseline tab, set the settings covered in Policy Baseline Settings.
9. Click the Save button at the upper right to save the policy and return to the Policies page, where the new policy will now be included in the Policies List.

To edit an existing policy:

1. Choose Settings from the portal's main menu.
2. On the Settings page, click Alert Policies (under Alerting).
3. In the Policies List on the Policies page, find the row of the policy whose settings you'd like to change.
4. Click the Action icon (vertical ellipses) at the right of the row and choose Edit Policy from the popup.
5. On the resulting Edit Policy page, if this isn't an Up/Down policy, click on the tab containing the setting that you'd like to change (see Threshold Settings Tabs).
6. Find the setting that you'd like to change, and change it.
7. Click the Save button at the upper right to save your changes and return to the Policies page.

To disable a policy or re-enable a policy that was previously disabled:

1. Choose Settings from the portal's main menu.
2. On the Settings page, click Alert Policies (under Alerting).
3. In the Policies List on the Policies page, find the row of the policy you'd like to disable or enable.
4. Click the Action icon (vertical ellipses) at the right of the row:
   - To disable an enabled policy, choose Disable from the popup. The policy will no longer monitor its dataset, generate alerts, or trigger mitigations.
   - To enable a disabled policy, choose Enable from the popup. The policy will resume normal policy-related functions.

To remove a policy from your organization's collection of policies:

1. Choose Settings from the portal's main menu.
2. On the Settings page, click Alert Policies (under Alerting).
3. In the Policies List on the Policies page, find the row of the policy you'd like to remove.
4. Click the Action icon (vertical ellipses) at the right of the row and choose Remove from the popup.
5. In the resulting confirmation dialog, click Remove. The policy will be permanently removed from your organization's collection of policies.

To debug a policy, that policy must currently be enabled. To debug an enabled policy:

1. Choose Settings from the portal's main menu.
2. On the Settings page, click Alert Policies (under Alerting).
3. In the Policies List on the Policies page, find the row of the policy you'd like to debug.
4. Click the Action icon (vertical ellipses) at the right of the row and choose Debug from the popup. The Debug dialog appears.
   Note: You can also select Debug from the Action menu in a policy’s Policy Details Drawer.
5. Depending on what you are trying to debug, use the drop-down button to select whether the Debug list shows Current Traffic or Baseline Data.

Note: When insufficient traffic is available for debugging, a message will display in place of the Debug list (see Policy Debug Dialog UI).