Anomaly Detector
Being able to monitor and detect abnormalities in your cloud resources is important because it helps you provide highly available and reliable services.
This section guides you to identify details about the anomalies observed in your cloud account using CoreStack, even if they are rare in occurrence, for all the cloud resources.
Configuring Anomaly Detector
To discover and fetch information about the anomalies in cloud resources, an anomaly detector must be configured and integrated with CoreStack. During its integration, the anomaly detector can be set up for anomaly detection for all the required cloud accounts that are onboarded into CoreStack.
Currently the Azure Anomaly Detector is supported for integration with CoreStack and support for other anomaly detection tools/services are in the pipeline.
Azure Anomaly Detector
Configuring Anomaly Detector in Azure
Before you integrate the Azure Anomaly Detector with CoreStack, an Anomaly Detector resource must be created in any of your Azure Subscription. Perform the following steps to create an Anomaly Detector resource.
- Login to the Azure portal.
- Select Cognitive Services, then click on Create Anomaly Detector resource.
- Provide the necessary details: Name, Subscription, Location, Pricing Tier, and Resource Group.
- Click Create. An Anomaly Detector resource will be created.
- Navigate to the resource page and copy the Anomaly Detector resource's endpoint and any one of the API keys.
Refer Azure documentation for more details.
Integrating Azure Anomaly Detector with CoreStack
Once the Azure Anomaly Detector has been created, the same can be integrated in CoreStack by performing the following steps:
- Click
icon on the bottom left of CoreStack and select Integrated Tools from the menu. Integrated Tools screen will be displayed. - Select Anomaly Detector in the left side under Monitoring section.
- Click Add Account button.
- Provide the following details to add the Azure Anomaly Detector.
| Field | Description |
|---|---|
| Account Name | Specify a unique name for the Azure Anomaly Detector. |
| Description | Provide a detailed description about the Azure Anomaly Detector. It is an optional field. |
| Environment | Select the type of environment that will be handled by the Azure Anomaly Detector. The options are: Production, Staging, QA, Development and All. |
| Scope | Select the required boundary to define the area of influence for the Azure Anomaly Detector: Account, Private and Tenant. |
| Anomaly Detector Endpoint | Specify the endpoint of the Azure Anomaly Detector resource. |
| Anomaly Detector Key | Specify the API key of the Azure Anomaly Detector resource. |
- Click Next. The Tools Configuration screen appears.
- Select the cloud accounts that must be configured for anomaly detection in the Applicable Cloud Accounts field.
- Provide a value for the boundaries of anomaly detection in the Sensitivity field.
- Provide a baseline value that must be considered for anomaly detection in the Baseline Setting field.
- Click Next. The Authorization screen appears.
- Select the required roles to which the integrated Azure Anomaly Detector must be available in the Assign Roles section.
- Click Finish.
The Azure Anomaly Detector will be integrated with CoreStack successfully and starts detecting the anomalies in the configured cloud accounts.
Navigation
After an anomaly detector is integrated with CoreStack and configured for anomaly detection in the required cloud accounts, relevant information and insights will be available in the following sections.
Click on Operations in the Left navigation menu and select Anomaly Detector option to land in the Anomaly Detector screen.
There will be 3 tabs available in the Anomaly Detector screen: Metric Anomalies, Activity Insights, Recommendations.
Note: Activity Insights and Recommendations sections are available only for AWS. Support for the other clouds is in the pipeline.
Metric Anomalies
The complete list of anomalies detected for a selected category of resources in the cloud account can be viewed in this section. The analytical details of the anomaly will be displayed as a graph created based on the metrics gathered.
Activity Insights
Activities occurred in the resources that led to the anomalies can be viewed in this section. CoreStack identifies and lists the possible activities that could result in the observed anomalies using its intelligent algorithm. It helps in identifying the critical incidents that does not conform with the normal behaviour of resources.
Recommendations
In this section, recommendations for resolving the anomalies are provided based on the activities detected in the resources that led to these anomalies. It helps you in identifying and performing necessary actions that could potentially resolve these anomalies observed in resources.
Viewing the Detected Anomalies
In the Metric Anomalies tab of Anomaly Detector screen, the list of abnormalities detected can be filtered and viewed for each resource type.
- Select the required cloud provider from the Cloud Services dropdown list to filter the anomalies based on cloud.
- Select the cloud account for which the anomalies must be viewed from the Cloud Accounts dropdown list to view the anomalies specific to particular cloud accounts.
- Select the category of cloud resource from the Category dropdown list to filter the anomalies further based on the resource type. The supported resources are:
| Cloud | Category | Resource Type |
|---|---|---|
| AWS | Instances | CPUUtilization, NetworkIn, NetworkOut, DiskReadOps, DiskWriteOps |
| AWS | Databases | CPUUtilization, DatabaseConnections, FreeableMemory, ReadIOPS, WriteIOPS |
| AWS | Buckets | BytesUploaded, BucketSizeBytes, BytesDownloaded, NumberOfObjects |
| AWS | Transit Gateways | BytesIn, BytesOut |
| Azure | Compute | Percentage CPU, Network In, Network Out, Disk Read Operations/Sec, Disk Write Operations/Sec |
| Azure | Storage | Transactions, SuccessServerLatency, Egress, Ingress, UsedCapacity |
| Azure | Databases | cpu_percent, dtu_consumption_percent, deadlock, connection_failed, storage_percent |
| Azure | Network | PacketsInDDoS, BytesInDDoS |
The relevant anomalies will be listed and can be filtered using the Daily, Weekly or Monthly filters. Clicking on each anomaly will display the dataset gathered for the resources with the anomaly highlighted in a graph.
Tracking the Anomalies
In the Activity Insights tab of Anomaly Detector screen, the activities associated with the anomaly will be listed providing insights about the sequence of events that have affected at any time a specific function of the resource. Also, activities for only the supported categories will be listed. The supported resources are:
| Category | Description |
|---|---|
| Suspicious_IP_Address | This category specifies whether any event has occurred from multiple IPs within a short span of time. |
| Security_Group_Rule_Changes | This category specifies whether any security group rule changes has happened. CoreStack will group all the transactional activities performed around the same time. |
| Multiple_Termination_Analysis | This category specifies the multiple termination activities that happened within a short span of time. CoreStack will be group all the transactional activities performed around the same time. |
| Odd_Time_Activity | This category specifies whether any event has occurred in an abnormal time (which is not the usual time the user performs the activities). |
| Multiple_IAM_Changes | This category specifies whether multiple IAM-related events has been performed within a short span of time. |
| Multiple_Events_by_Newuser | This category specifies if a new user, who was created in a particular day, has done multiple transactional activities within a short span of time. |
| Frequent_Activity | This category specifies if an existing user has performed multiple transactional activities within a short span of time. |
| Multiple_Login_Failures | This category specifies if a user has attempted to login through console and failed for multiple times repeatedly within a short span of time. |
| Threat_Protection_and_Guard_duty_Events | This category specifies the activities which are the findings of the cloud-native finding tools such as guard duty results, etc. |
Resolving Anomalies using Recommendations
In the Recommendations tab of Anomaly Detector screen, recommendations are provided to resolve each anomaly observed. The proposed action for every recommendation varies based on the resource type and the nature of anomaly. You can review the recommended actions for an anomaly and either perform the proposed action or skip it.
Updated 6 months ago