Imperva Cyber Community

Hi all,
        What factors are related to the number of alerts? How is it calculated?
        As shown by the red box in the picture. 
        I'm a little confused about the relationship between the number of violations(in alert pane) and the number of aggregated violations in the aggregated alert details pane(A and B), as shown below.

        I founded that, A and B are equal when A is less than or equal to 500. According to the  "Web Application Firewall User Guide", in the section "Understanding Aggregated Alerts"，"Note: Up to 500 unique/distinct security events can be aggregated into a single alert." I think, It may be related to the mechanism of aggregation.
        Sometimes, I founded that, when B is 20,000, A is still 1000。I don't know how to explain it anymore。Hope someone can help explain it

Note: The picture comes from the screenshot of the implementation environment.


#On-PremisesWAF(formerlySecuresphere)

------------------------------
----------------------------------------
WAF operations engineer
Bruce Zhang
----------------------------------------
------------------------------

Hello,

I am not very sure but have you checked you might have two A alerts?
Meaning when are 2000 violations (B) in alerts you will find two A (1000+1000).

------------------------------
Sabajete Elezaj
SNT Albania
------------------------------

Original Message:
Sent: 06-03-2020 07:03
From: Bruce Zhang
Subject: number of violation in alert pane

Hi all,
        What factors are related to the number of alerts? How is it calculated?
        As shown by the red box in the picture. 

        I'm a little confused about the relationship between the number of violations(in alert pane) and the number of aggregated violations in the aggregated alert details pane(A and B), as shown below.

        I founded that, A and B are equal when A is less than or equal to 500. According to the  "Web Application Firewall User Guide", in the section "Understanding Aggregated Alerts"，"Note: Up to 500 unique/distinct security events can be aggregated into a single alert." I think, It may be related to the mechanism of aggregation.
        Sometimes, I founded that, when B is 20,000, A is still 1000。I don't know how to explain it anymore。Hope someone can help explain it

Note: The picture comes from the screenshot of the implementation environment.


#On-PremisesWAF(formerlySecuresphere)

------------------------------
----------------------------------------
WAF operations engineer
Bruce Zhang
----------------------------------------
------------------------------

@Ying Zhang, 

Thanks for the post. I have reached out to our experts and this is what they said. 

There was a lot of work done on this area a few years ago. Here is a quick summary: 

We have 3 levels of data:

1. Total number of events - unbounded single integer
2. Statistical information - 500 permutations of ip, UA, URL, session ID.... Total number of events in the 500 permutations is unbounded (each permutation can appear several times. We stop counting once we reach the 500 permutations limit)
3. Entire violations - we keep only 30 by default.

Note that regarding number of events: 1>=2>=3In the report:

• If you only set in Tabular tab just alert information, like name - you'll get the total number of occurrences (#1 from above).
• If you set a statistical parameter, like source IP, you'll get a list of IPs and occurrences with total number (#2) different than in report A since the statistics is used rather than only the total number of occurrences.
• If you set a parameter that is only kept on the actual event, like destination IP, than you'll get even a shorter list with a total number of occurrences of 30 (based on default configuration)

I hope this is helpful.

------------------------------
Christopher Detzel
Community Manager
Imperva
------------------------------

Original Message:
Sent: 06-03-2020 07:03
From: Bruce Zhang
Subject: number of violation in alert pane

Hi all,
        What factors are related to the number of alerts? How is it calculated?
        As shown by the red box in the picture. 

        I'm a little confused about the relationship between the number of violations(in alert pane) and the number of aggregated violations in the aggregated alert details pane(A and B), as shown below.

        I founded that, A and B are equal when A is less than or equal to 500. According to the  "Web Application Firewall User Guide", in the section "Understanding Aggregated Alerts"，"Note: Up to 500 unique/distinct security events can be aggregated into a single alert." I think, It may be related to the mechanism of aggregation.
        Sometimes, I founded that, when B is 20,000, A is still 1000。I don't know how to explain it anymore。Hope someone can help explain it

Note: The picture comes from the screenshot of the implementation environment.


#On-PremisesWAF(formerlySecuresphere)

------------------------------
----------------------------------------
WAF operations engineer
Bruce Zhang
----------------------------------------
------------------------------

@Christopher Detzel,
​Thanks for your reply, In addition, thanks to the experts and engineers behind the scenes. I think this function is great, let me understand the alert from different angles，at the same time avoid the alarm storm. It's just that sometimes customers don't fully understand. 

In addition, I have a question,  What does the statistical information include? Is it the "Statistical Information" parameter to the right of the alert details in the right pane of Alert eg: IP, UA, session ID...? Does it also include signature?

------------------------------
----------------------------------------
WAF operations engineer
Bruce Zhang
----------------------------------------
------------------------------

Original Message:
Sent: 06-08-2020 08:09
From: Christopher Detzel
Subject: number of violation in alert pane

@Ying Zhang, 

Thanks for the post. I have reached out to our experts and this is what they said. 

There was a lot of work done on this area a few years ago. Here is a quick summary: 

We have 3 levels of data:

1. Total number of events - unbounded single integer
2. Statistical information - 500 permutations of ip, UA, URL, session ID.... Total number of events in the 500 permutations is unbounded (each permutation can appear several times. We stop counting once we reach the 500 permutations limit)
3. Entire violations - we keep only 30 by default.

Note that regarding number of events: 1>=2>=3In the report:

• If you only set in Tabular tab just alert information, like name - you'll get the total number of occurrences (#1 from above).
• If you set a statistical parameter, like source IP, you'll get a list of IPs and occurrences with total number (#2) different than in report A since the statistics is used rather than only the total number of occurrences.
• If you set a parameter that is only kept on the actual event, like destination IP, than you'll get even a shorter list with a total number of occurrences of 30 (based on default configuration)

I hope this is helpful.

------------------------------
Christopher Detzel
Community Manager
Imperva

Original Message:
Sent: 06-03-2020 07:03
From: Bruce Zhang
Subject: number of violation in alert pane

Hi all,
        What factors are related to the number of alerts? How is it calculated?
        As shown by the red box in the picture. 

        I'm a little confused about the relationship between the number of violations(in alert pane) and the number of aggregated violations in the aggregated alert details pane(A and B), as shown below.

        I founded that, A and B are equal when A is less than or equal to 500. According to the  "Web Application Firewall User Guide", in the section "Understanding Aggregated Alerts"，"Note: Up to 500 unique/distinct security events can be aggregated into a single alert." I think, It may be related to the mechanism of aggregation.
        Sometimes, I founded that, when B is 20,000, A is still 1000。I don't know how to explain it anymore。Hope someone can help explain it

Note: The picture comes from the screenshot of the implementation environment.


#On-PremisesWAF(formerlySecuresphere)

------------------------------
----------------------------------------
WAF operations engineer
Bruce Zhang
----------------------------------------
------------------------------