Anomalies

NOTE: The Anomalies functionality is part of the SysTrack Intelligence Package. To access this functionality, you must purchase the Intelligence Package. Contact your Account team for more details.

This feature offers a machine-learning model that detects anomalies in a customer’s environment. By detecting issues early, customers can fix problems before they become widespread.

NOTE: Use the Manage Group Features area to control access to the Anomalies feature in Prevent.

Anomalies Overview Page

Access the Anomalies feature in Prevent.

If there are no anomalies found, the History graph is blank. From the sensor drop down list, at the top right of the graph, select a sensor that is involved in the model to see its history.

Active Anomalies

By default, the Anomalies page shows Active Anomalies.

An anomaly will be detected when at least two sensors are activated more than normal on a statistically significant number of systems.

Active anomalies display at the top of the screen. It shows overview information about the anomaly, including anomaly name, sensors involved, systems impacted, and assignees. The information refreshes when you refresh the page.

By default, every anomaly starts with an ID. You can give the anomaly a friendly name, which displays at the top of the anomaly tile. To rename an anomaly, view the Anomalies Detail page. For more information, see Drill Into an Active Anomaly.

At the bottom right of the tile, the initials of the user assigned to the anomaly display. When you hover over the initials, the user's full name displays. If there is no assignee, an exclamation point displays.

History Graph

By default, the History graph shows the sensors that are involved in the active anomalies. There is a maximum of six sensors that can be graphed at once. The graph displays the last 30 days of sensor history so that you can see the sensor behavior leading up to the anomaly. You can zoom in to specific days for more information.

NOTE: If there are more than six sensors involved in active anomalies, only those sensors from the most recently activated anomalies display.

A red exclamation point displays on the graph at the time an anomaly is detected. When you hover over it, you can see the ID (or name if it has been renamed).

To change which sensors display on the graph, use the sensor selection drop down list.

Drill Into an Active Anomaly

Select an anomaly from the overview page to access more details about the anomaly.

This page shows the ID, the start date, and an option to rename the anomaly. Anomaly names must be unique, cannot contain any spaces, and are limited to 128 characters.

Refresh the page to update information about the anomaly.

Add an Assignee to an anomaly so that users know who is investigating the anomaly. Only users with permissions to the Anomalies feature can be added as an assignee. There is a maximum of five assignees per anomaly. Assignees do not receive email notifications.

NOTE: You can delete assignees by hovering over the assignee icon on the Assigned To tile.

The Systems table shows all systems affected by the anomaly. Use the drop down list to filter based on system status.

An anomalous system can have one of three statuses:

  • Active: a system, in its latest sensor results, was found to have the anomaly

  • Monitoring: a system at one point in time was found to have the anomaly but in its latest sensor results the anomaly is not detected. This could be because it went offline (offline systems do not report sensor results), or perhaps you pushed a fix to a subset of systems that is resolving the anomaly. These systems will continue to be monitored until they are found to have the anomaly again or it has been resolved.

  • Recovered: a system is recovered if it is not found to have the anomaly for at least 72 hours.

Double-click a system to view the system in Resolve. (Or, right-click to open the link in the same tab or in a new tab.) The online column on the Systems table indicates whether the system is online.

NOTE: It is possible for a system to go offline between the time a user loads the Anomalies detail page and drills down into the system in Resolve.

Sensors Involved

This graph is a deeper view of the sensors involved in the anomaly itself. It shows the sensor behavior in 15-minute increments, starting at the time the anomaly was detected.

In general, the sensor count will be higher than the system count. The sensor count on this graph is the total number of times the sensor has activated in a 15-minute window. For example, three systems could have each had one sensor activate. Or, one system could have had a sensor activated three times within the 15 minutes window.

Systems Timeline

The systems timeline shows how the count of systems has changed over time. The timeline reflects systems as they are added to the anomaly and as they move to the Recovered status. In this timeline, systems with the Monitoring status are accounted for in the Active section.

Activity Feed

The Activity Feed shows the history of the anomaly, starting at the time it was detected. As more systems are found to have the anomaly, or as systems move to the recovered category, the FQDNs display in the Activity Feed. An entry is also added to the feed when an assignee is added.

When more than 10 systems are added to the anomaly or moved to recovered, a Show Systems button displays in the Activity Feed. When you click Show Systems, it filters the Systems table to show those systems. Use the drop down list at the top of the Systems table to clear this filter.

Possible Events in the Activity Feed

Event

Example

Anomaly Detected

Systems Added: Less than Ten

Systems Added: More than Ten

Systems Moved to Recovered Status

Assignee Added

Anomaly Resolved

Resource Consumption Error

Previous Anomalies

From the Overview page, select Previous Anomalies from the drop down list to view historical data.

When you select Previous Anomalies, it shows all resolved anomalies from the past year.

You can drill into details about previous anomalies to see what happened.

For previous anomalies, you do not have any edit access. You cannot change the assignee or modify the name of the anomaly.

The Systems table shows all the systems that were affected by the anomaly.

NOTE: The online status column indicates the current status of the device.

Resolve Anomalies

There are two possible ways for an anomaly to resolve:

  • 24 hours after all systems in the anomaly have moved to the recovered category

  • The count of all sensors involved in the anomaly returns to a normal range for the environment.

Notifications

An email notification will be sent to a designated list of recipients when an anomaly is detected.

NOTE: You cannot customize the content of an anomaly notification.

  1. To assign an anomaly notification, go to Configure > Sensor Configuration > Notifications.

  2. Click Recipients and then Add New Recipient.

  3. (Optional) Select an existing recipient. The Type must be user, Distribution List, or System with Email selected in Connection.

  4. Click Receive Anomaly Notifications to add them as an anomaly notification recipient.

User Notifications

  1. In Recipient Type, click User.

  2. Enter the First Name, Last Name and Work Email.

  3. Click Receive Anomaly Notifications.

  4. Click Add Recipient.

Distribution List Notifications

  1. In Recipient Type, click Distribution List.

  2. Enter Name and Email.

  3. Click Receive Anomaly Notifications.

  4. Click Add Recipient.

System Notifications

  1. In Recipient Type, click System.

  2. Enter Name.

  3. In Connection, select Email and then enter the email address.

    4. NOTE: Anomaly notifications are only sent by email. Webhooks are not supported for anomaly notifications at this time.

  4. Click Receive Anomaly Notifications.

  5. Click Add Recipient.

Filter by Anomaly Notification Recipients

On the Recipients tab, click Show Only Anomaly Notification Recipients. The list displays only those users, systems or distribution lists who are receiving anomaly notifications.