If you drill into an anomaly cluster (shown in the Enterprise-wide Correlated Anomalies table), the Anomaly Drill-In table opens. The table lists each anomaly with its probability, value, the originating router and interface, and the time that the anomaly occurred. Use the time link to drill into a trend chart that shows the value and probability over time.
The Anomaly Drill-In view provides the following information about each anomaly:
The type of anomalous network behavior detected. Anomaly types correspond to the sensors, which are described in Sensors Overview.
The name or IP address of the host on which the anomalous behavior is detected. The host may be a client system, a server, a router, or a router interface. The program attempts to resolve the hostname of any IP address and display that name in this field.
The calculated likelihood that flagged packet flows are truly anomalous. Probability thresholds are discussed in more detail in Probability Thresholds.
Probability is expressed as a percent. For example, if the probability for an anomaly type is 91%, the packet flows that triggered the anomalous behavior report are calculated to have a 91% probability of being anomalous. In this example, the packet flows had a low probability of occurring normally on this network.
For more information about how the probability algorithm operates, see Probability Thresholds.
The value that is used to determine the severity of the deviation from the baseline profile of network behavior. Shows what was measured in the network traffic.
The unit of measurement that is used to express the Value, such as packets, flows, or destination hosts (dest hosts).
The router, interface, or other data source that detected the anomalous data.
The date and time that the anomalous behavior was detected. The time may vary by up to 15 minutes from the time when the flows actually took place. Data is pulled from the Harvesters for analysis at 15-minute polling intervals.
| Copyright © 2013 CA. All rights reserved. |
|