Analyzing Experience Monitoring Anomalies

This article explains how to use the XDR Stories Workbench and story drill-down page to analyze XDR stories for anomalous behavior detected by the Experience Monitoring Anomaly engine.

For more about using the Stories Workbench, see Reviewing Detection & Response (XDR) Stories in the Stories Workbench.

Overview

Cato's XDR service detects anomalous activities based on Experience Monitoring, which may indicate an issue with an application or network performance to an application. The Anomaly engine monitors and analyzes the network traffic of each site and each application for an initial period of 14 days to establish a baseline for each new application based on the TTFB (Time to First Byte).

After that period, the engine runs once a day on the data from the previous day and sees if there was a significant deviation from the baseline. In the event that an anomaly occurred, a story is generated.

Note

Note: If several deviations occurred on the same day, only one story is generated for all of them.

Even after the baseline is established, it is a dynamic measurement that is updated with each day’s data. Meaning, the initial baseline is established after the first 14 days, but continues to evolve with the data from each new day.

When the anomaly engine generates a story, you can review it in the Stories Workbench and drill down for further analysis of the story data.

Drilling-Down and Analyzing Experience Monitoring Anomaly Stories

You can click on an Experience Anomaly story in the Stories Workbench to drill down and investigate the details on a different page. This page contains additional information to help you start your investigation of the incident.

Showing an Experience Anomaly Story

Click an Experience Anomaly story in the Stories Workbench page to show the details for the UEBA story.

To show the Stories Workbench page:

  1. From the navigation menu, click Monitoring > Stories Workbench.

  2. Under Producer, select Experience Anomaly.

Understanding the Experience Anomaly Widgets

Detection___Response_Anomaly_calloutsPNG.png

These are the widgets for an Experience Anomaly story:

Item

Name

Description

1

Story summary

A summary of basic information about the story, including:

  • Anomaly name

  • Indication for the detected issue

  • The engine that produced the story

  • Source site where the story occurred

  • Application with which the site was communicating

  • Story status

2

Details

Basic details about the story, including:

  • A description and summary

  • First Signal - Time of the first signal (traffic flow) associated with the anomaly

  • Creation Date - Time the story was generated

  • Last Updated - Time of the latest story update, such as a new target or changed verdict

  • Similar Stories - Shows stories with similar details such as site and application.

3

Experience Anomaly Widget

Visual indication of the application experience the day of the story

4

Connection Details Widget

Provides information about possible issues in different nodes on the connection path

Investigating Anomalies

Once you have the basic information of the anomaly, including the site on which it occurred, the application and time, you can use the Experience Monitoring widgets to further investigate the story.

For example, you can filter by application and, using the Application Performance tab, view more information about possible issues that occurred at the time of the anomaly. In addition, you can use the Tunnel tab to see if there was a problem with the tunnel, or maybe in the Hosts tab you can see that there was a sudden spike in the number of users who were accessing the application, which might have caused the experience to degrade.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment