CA Anomaly Detector Views › Predefined Views › Anomaly Drill-In

Anomaly Drill-In

If you drill into an anomaly cluster from the Enterprise-wide Correlated Anomalies view, the Anomaly Drill-In table opens. For each anomaly, the table lists the probability, value, originating router and interface, and the time that the anomaly occurred. You can use the Date link to drill into a trend chart that shows the value and probability over time.

The Anomaly Drill-In view provides the following information about each anomaly:

Anomaly Type

The type of anomalous behavior. For a description of each anomaly type that you can enable for monitoring, see Sensors Overview.

Host

The name or IP address of the host on which the anomalous behavior is detected. The host may be a client system, a server, a router, or an interface. The program attempts to resolve the hostname of any IP address and displays that name in this field.

Host Link

Click a Host link to go to more granular information about the device that has the anomaly. Clicking a Host link may be the first step in troubleshooting the anomaly.

Host link destinations are based on the sensor type. For many CA Network Flow Analysis sensors, the Host link opens the page for defining a Flow Forensics report in the NFA console, which has pre-populated report filters.

Prob(%)

The calculated likelihood that flagged packet flows are truly anomalous.

Probability is expressed as a percentage. For example, if the probability for an anomaly type is 91%, the packet flows that triggered the reported anomalous behavior are calculated to have a 91% probability of being truly anomalous. In this case, the packet flows have a low probability of occurring normally on this network.

For more information about the probability algorithm, see Probability Thresholds.

Value

The value that triggered the report of anomalous behavior, expressed in the units of measure shown in the Unit column. For example, the value could be the number of gigabytes of data in the anomalous flow.

Metric/Unit

The unit of measurement that is used to express the Value, such as packets, flows, or destination hosts (dest hosts).

Discovered by

The router, interface, or data source that detected the anomalous data.

Discovered by Link

Click a Discovered By link to view details. The link destination is determined by the type of anomaly:

• CA Network Flow Analysis Anomalies: Router or interface page in the Performance Center Console
• Anomalies from other data sources: Main page for the originating product

Date

The date and time that the anomalous behavior is detected. The time may vary by up to 15 minutes from the time when the flows actually took place. Data is pulled from the Harvesters for analysis at 15-minute polling intervals.

Date Link

Click the Date link to go to the Anomaly Trend view. This view shows the value and probability of the anomaly over time.

You can edit the following view settings:

• Time frame, as described in Set a Custom Time Frame.
• View title.

Note: If your deployment includes CA Performance Center, you can use the Zoom feature to interactively limit the time frame.