SNYPR Analytics Guide · 2019-10-01 · AppendixA Type Rule Description Pre-set Thr-esh-old Valu-e...

SNYPR-EYE 1.3

User Guide

Date Published: 9/6/2019

Securonix Proprietary Statement

This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any

third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.

The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or

their respective owners.

Securonix Copyright Statement

This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using

any medium, without the prior written authorization of Securonix.

However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and

reference.

Information in this document is subject to change without notice. The software described in this document is

furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in

accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional

warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this

publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or

mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without

the written permission of Securonix.

Copyright © 2019 Securonix. All rights reserved.

Contact Information

Securonix

14665 Midway Rd. Ste. 100

Addison, TX 75001

(855) 732-6649

SNYPR-EYE User Guide 2

Table of Contents

Introduction 4Documentation Conventions 4Supported Operating Systems 5

Get Started with the Dashboard 5Dashboard Components 5

Add an Environment 26

Add a Connection 28

Configure Sensors 31

Add an Asset 34

Add a Tenant 37

Configure SMTP 41

Configure SNMP 43

Configure Access Control 45Manage Users and Roles 45Add a User 46Add a Role 48

Mask an Entity/Role 49

Add a Certificate 51

Configure Alerts 53

Appendix A 54Environment 55Ingestion 158Analytics 172


Introduction

IntroductionSNYPR-EYE is a monitoring tool that lets you view detailed information about the per-formance of your SNYPR deployment. It provides dashboards that give you visibilityinto many areas of your deployment, including:

l System Components: CPU, memory, and disk

l SNYPR Services: Tomcat, Apache, MySQL, NTP, and Syslog-ng

l Hadoop Services: HDFS, Kafka, HBase, Spark, and Zookeeper

l SNYPR Applications: Ingestion, enrichment, behavior profiling, and risk scoring

l Data Analytics: Violation trends

The SNYPR-EYE Console registers components, services, and jobs from theSNYPR-EYE Agent. The SNYPR-EYE Agent is deployed on each instance to mon-itor nodes and trigger alerts when a failure occurs. For example, an alert is triggeredwhen a resource meets a pre-set threshold or a status change occurs for a service.You can set up alert notifications via email to the operations team responsible formonitoring the platform.

SNYPR-EYE supports two types of environments, including:

l Single tenant: A Single tenant environment serves a single customer. With singletenancy, each tenant has an independent database and instance.

l Multi-tenant: A Multi-tenant environment serves multiple customers. Each tenantshares a database and application. The data for each tenant is isolated andremains invisible to other tenants.

Documentation ConventionsThere are different font styles used throughout the SNYPR documentation to indicatespecific information. The table below describes the common formatting conventionsused in the documentation:


Get Started with the Dashboard

Convention Description

Bold font

Words in bold can indicate the fol-lowing:

l Buttons that you need to click

l Fields in the user interface (UI)

l Menu options in the UI

l Information you need to type orselect

Indicates commands or code.

Menu navigation

The navigation path to reach a specificscreen in the UI is separated by agreater than symbol (>). For example,Menu > Administration.

UPPERCASE FONT All uppercase words are acronyms.

Folders and folder pathsQuotation marks are used around afolder name or folder path. For example,“C:\Documents\UserGuide”.

Supported Operating SystemsSNYPR-EYE is supported on the following operating systems:

l CentOS 7.1+

l RHEL 7.1+

Get Started with the DashboardThis section includes the following topics:

Dashboard ComponentsThere are 4 main components on the Dashboard, including:



1. Application Statistics

The Application Statistics section shows statistics across your SNYPR environment.The following statistics are available:

Assets

The number of assets that are configured in your environment. Click the blue trianglenext to the number of Assets to see a dashboard of server node specific information.



The Assets dashboard contains the following columns:



a. Click a specific asset to view the Assets Summary.

l Memory: Relative percentages of Used, Available, and Total Memory of a par-ticular node in a donut chart.

l CPU: Visualizes the minimum, maximum, and average CPU percentage for aparticular node in a line chart.

l Disk: The percentage of Used, Available, and Total Memory size of the diskallocation on a particular node in donut chart format.

l Mounted Drives: Details on all the mounted drives disk usage.

l Disk I/O: Disk input/output.

b. Disk: The amount of disk storage currently in use for the asset.

c. CPU: The amount of CPU currently in use for the asset.

d. Memory: The amount of memory currently in use for the asset.

e. Services/Roles:



l Services: The number of services that are running and installed.

Example: If your Services button displays as 2/3, this means there are 2 ser-

vices running and 3 services installed.

l Roles: The number of roles assigned. Click to expand and view the nodes that

are attached to the asset:

o Compute Node: Hadoop compute components.

o Search Nodes: Solr instances.

o Kafka Notes: Kafka nodes.

o Admin Nodes: Admin nodes.

o Application Nodes: Web application server nodes.

The color of the node reflects the status of the Service/Role. The status colorsinclude:

l Green: The service is running.

l Blue: The role is running.



l Red: The service failed.

Identities

The number of user identities configured in the SNYPR application. Click the blue tri-angle next to the number of Identities to see a list of Total Identities, ActiveIdentities, In-Active Identities, and Licensed Identities.

Datasources

The number of datasources that are integrated and ingesting data into the envir-onment.

Policies

The number of policies configured in the SNYPR application. For a multi-tenant envir-onment, the sum of all the tenants in the environment of the policies configured willdisplay.

Ingesters

A list of the ingesters that are configured in the environment to ingest data. Click theblue triangle next to the number of Ingesters to see which ingesters are running orstopped. An alert is generated when any of the ingesters are down.



Active Batches

The number of active batches for all the Spark applications in the environment. Clickthe blue triangle next to the number of active batches to see the details for eachSpark application running in the environment.



Current EPS

The current events per second (EPS) for a tenant in a single-tenant environment. Fora multi-tenant environment, the sum of all tenants will display. The value is updatedevery minute.

Today's Avg EPS

The current average EPS for a single tenant environment. For a multi-tenant envir-onment, the sum of all tenants will display. Click the blue triangle next to the numberof Today's Avg EPS to see the EPS history.

The value is updated every hour.



Today's Peak EPS

The current peak EPS of a tenant in single tenant environment. For a multi-tenantenvironment, the sum of the current peak EPS of all tenants will display.

The value is updated every hour.

Licensed EPS

The total licensed EPS of the SNYPR application.

Memory Allocated

The total memory used by the Spark applications in the environment.

Core Allocated

The total CPU/Cores utilized by the Spark applications in the environment.

Hbase

The gigabyte (GB) size of the Hbase tables in the environment. Click the blue triangle



next to the GB value to see a list of Hbase tables and their specific GB information.

HDFS

The number of HDFS storage. Click the blue triangle next to the GB value to see spe-cific details.



2. Hadoop Services

The health status of a Hadoop service is indicated by the following colors:

l Green: The service is running.

l Yellow: The service has an error.

l Red: The service is stopped.

l Gray: The service is not configured.

3. Application Alerts

The Application Alerts dashboard displays a list of alerts in your environment for thelast 24 hours as well as historic alerts. By default, the alerts dashboard shows alertswith an open status from the past 24 hours. The alerts displayed in each section,Open, Acknowledged, or Resolved, are prioritized based on criticality as well as timeof alert.

You can complete the following actions from the Application Alerts section:



a. Alert Status: Click to see alerts that are Open, Acknowledged, or Resolved. Thealerts will move from one section to another based on the action taken by the oper-ations engineer or if the alert is auto-resolved.

b. 24 Hour Alerts: Click to view alerts within the past 24 hours.



c. Calendar Icon: Click to select a date or date range.



d. Filter: Click to filter the alerts by Criticality, Types, Status, Assets, or Tenants.

e. Actions Icon: Click to respond to an alert. The following two options are available:

l Acknowledge: Indicates that you plan to investigate the alert. Choose thisoption when the alert status is Open.

l Resolve: Indicates that the alert is resolved. Choose this option when the alertstatus is Open or Acknowledged.

Additionally, when an alert status is either acknowledged or resolved, you canchoose Create Incident to indicate that the alert is under further investigation.



4. Tenants Summary

The Tenant Summary displays information about the analytics running, the datasource publishing data in the environment, tenant details, and Spark application stat-istics.

Click the grid icon to choose how you want to view your data. The following optionsare available:



Events Monitoring

By default, the Tenants Summary will show this view. The following options are avail-able:

a. Date Range: Select the date range for the events you want to view. The following

options are available: Current Hour, Today, 5 Days, 15 Days, 1 Month, 3 Months,

6 Months, YTD, 1 Year.



b. Data Type: Choose whether to view Ingestion or Analytics data. If you chooseAnalytics, you have an option to display events by one or more policies.

c. Datasources: Select one or more datasources that you want to view. You can alsoSelect All or Deselect All datasources.



d. Event Type: Select whether you want to view Published, Processed, Indexed, orSaved to HDFS events.

e. Category: Choose to view events by Event Count, Average EPS, or Peak EPS.



f. View: Select event data format. The following options are available:

l Bar Chart

l Heat Map



l Tabular

Note: Analytics data is available only in bar chart format.



License Details


Add an Environment

History

Add an EnvironmentEach environment can be configured to monitor a single SNYPR application, or inmulti-tenant environment, it can be configured to monitor multiple SNYPR applic-ations. If required, multiple environments can be configured to support production,development, and quality assurance (QA) environments. Upon completion of a suc-cessful installation of the SNYPR-EYE Application, the first environment is set up,and you can view it when you click Configure > Environment.


Add an Environment

Environment configuration requires Assets, Connections, and Sensor setup. Toaccess your environment configurations, navigate to Configure > Environment. Fromhere you can add new environments, nodes/assets, and connections. You can alsomodify and delete your existing Assets, Connections, and Sensors by selecting anexisting environment, and then clicking the pencil icon (edit) or the red X (delete) inthe Actions column.

To add an environment, do the following:

1. Navigate to Configure > Environment.

2. Click + on the top left of the screen.

3. Provide the following environment details:

a. Name: Specify a unique name for the environment. Note that the name cannotbe changed once it is set up.

b. Hadoop Distribution: Specify the Hadoop distribution for the environment. Forexample, CLOUDERA/HORTONWORKS.

c. Architecture Type: Specify the architecture type.

4. Click Save.


Add a Connection

Add a ConnectionThe connection details entered are used to retrieve the node information and deployagents. This tab gives you an overview of your connections by Name and Type. Youcan also add a new connection by clicking the Add Connection button and com-pleting the required information, and you can edit or delete a connection by clickingthe icons under the Actions column.

To add a connection, do the following:


2. Click Add Connection.

3. Provide the following connection details:


Add a Connection

a. Connection Type: Select one of the following supported connections:l Hortonworks

l Cloudera

l Resource-Manager

l SOLR-Manager

l AWS

b. Complete the following information:


Add a Connection


Configure Sensors

a. Name: Type the name of the connection.

b. (Optional) Kerberos: Check the box to enable Kerberos in your envir-onment.

c. password: Provide the password information.

d. protocol: Provide the protocol information.

e. port: Provide the port information.

f. host: Provide the host information.

g. username: Provide the username information.

4. Click Save.

Configure SensorsThe Sensors tab allows you to add a sensor configuration.

To configure a sensor connection, do the following:


2. Click the Sensors tab and complete the following information:


Configure Sensors

a. Servers: Specify a list of server names, separated by commas.

b. Sensor Topic: Specify the sensor topic name.

a. (Optional) SSL:

b. (Optional) Kerberos:

3. (Optional) When SSL is enabled in your environment, provide the following inform-ation:


Configure Sensors

a. Upload Truststorefile: Click Choose File and specify the truststorefile.

b. Truststore password: Specify the truststore password.

c. Upload Keystorefile: Click Choose File and specify the keystorefile.

d. Keystore password: Specify the keystore password.

e. Key password: Specify the key password.

4. (Optional) When Kerberos is enabled in your environment, provide the following

information:


Add an Asset

a. Principal: Specify the service request name.

b. Keytab Path: Specify the keytab path.

5. Click Save.

Add an AssetOn the Assets tab, you can view the status of the asset in your environments, andadd, edit, or delete your existing Assets.

The green icon next to an asset shows the status of the agent installed on the asset.Agents are deployed on each asset/node to monitor its health. After installation, youwill see an option to deploy the agent for the asset on which the agents were not suc-cessfully deployed during the install process. Agent deployment is recommended toenable asset monitoring.

To deploy agents, click the edit icon, provide the credentials for the asset, enableDeploy agent, and then click Save. After successful installation of an agent on theasset you will be diverted to the asset screen where you will be able to see the agenthealth.

To add an asset, do the following:


2. Click the Assets tab.

3. Click + Add Asset.


Add an Asset

4. Provide the following asset details:


Add an Asset

a. Hostname: Specify the hostname for the asset.

b. Instance type: Specify the instance type.

c. IP Address: Specify the IP Address.


Add a Tenant

d. Username: Specify the ssh (Secure Shell) username.

e. Password: Specify the ssh password.

5. (Optional) Deploy Agent: Set this to YES to make the agent report statistics for the

asset.

Note: As a best practice, we recommend deploying the agents on the asset while

adding the asset to enable asset monitoring.

6. Click Save.

You can always go back and edit the asset by clicking the edit icon (pencil icon) ordelete the asset by clicking the red "x" icon under the Actions column.

Add a TenantThe Tenants screen allows you to view the existing tenant details and configure themonitoring capability of the tenant. During install process, initially a single ten-ant/SNYPR application would be configured. You can view the status of the tenant onthe Tenant configuration screen. Currently, adding tenants can be done from the backend, while monitoring can be set up from the UI after the tenant has been deployed inthe environment.

To add or configure monitoring for tenants, follow the below steps:

1. Navigate to Configure > Tenants.

2. Click Add Tenant.


Add a Tenant

3. Complete the following Tenant Details:

a. Name: Specify the tenant name.

b. Description: Provide the client name.

c. Snypr War Version: Specify the SNYPR war version.

d. Snypr Console URL: Specify the SNYPR console URL.

e. Licensed EPS: Specify the licensed EPS for the tenant.

4. Click Next.

5. Complete the following Kafka Configuration details:


Add a Tenant

a. Kafka Servers: Specify a comma separated server list.

b. Counts Topic: Specify the count topic name.

c. Control Topic: Specify the control topic name.

d. Ops Messages Topic: Specify the ops topic name.

e. (Optional) SSL: Check the box to enable the SSL connection. When SSL isenabled, you will need to provide the following information:l Upload truststorefile

l Truststore password

l Upload keystorefile

l Keystore password

l Key password

f. (Optional) KERBEROS: Check the box to enable Kerberos authentication.When Kerberos is enabled, you will need to provide the following information:


Add a Tenant

l Principal: Specify the service request name.

l Keytab Path

6. Click Next.

7. Complete the following Database Configuration details:

8. Click Test.

9. Click Save.

The Admin user can now validate the tenant configuration and delete tenant(s) fromthe Tenants screen.

As a best practice, it's recommended to validate your configuration after you add/-modify your tenant(s). Ensure your configuration is valid by clicking Validate Con-figuration button on the Tenants screen.

Click Ok to exit the pop-up window.


Configure SMTP

Configure SMTPThe SMTP (Simple Mail Transfer Protocol) screen is used in sending and receivingemail.

To configure your SMTP connection details, do the following:

1. Navigate to Configure > SMTP.

2. Enter the following SMTP connection details:


Configure SMTP

a. SMTP Mail from: Specify the SMTP from mail address (e.g., [email protected]).

b. Send Alert Email To: Specify Alert Email To recipient mail address. Globalemail is used if c, d, and e are not enabled.

c. Send Ingestion team Alert Email To: Set the toggle to YES and enter emailaddress(s) separated by commas to send data ingestion alerts to a specificgroup of operations engineers. If this setting is not enabled, ingestion alertswill be send to the email address(s) specified in step 2 b.


Configure SNMP

d. Send Environment team Alert Email To: Set the toggle to YES and enteremail address(s) separated by commas to send data environment (infra-structure) alerts to a specific group of operations engineers. If this setting is notenabled, ingestion alerts will be send to the email address(s) specified in sec-tion b.

e. Send Analytics team Alert Email To: Set the toggle to YES and enter emailaddress(s) separated by commas to send data Analytics alerts to a specificgroup of operations engineers. If this setting is not enabled, ingestion alertswill be send to the email address(s) specified in section b.

f. Send Incident support team Email To: Set the toggle to YES to create ticketsor incidents directly in the support portal, which can create incidents via emailmessages.

g. SMTP Host: Specify the SMTP host name.

h. SMTP Port: Specify the SMPT port.

i. SMTP AUTH: To enable this option, set the toggle to YES and provide the fol-lowing information:l SMTP username: Specify the SMTP authentication username.

l SMTP Password: Specify the SMTP authentication password.

3. Click Save.

Configure SNMPSimple Network Management Protocol (SNMP) is an Internet standard protocol usedto collect and organize information about managed devices on IP networks andmodify that information to change device behavior.

To configure your SNMP traps connection details, do the following:

1. Navigate to Configure > SNMP.

2. Complete the following information:


Configure SNMP


Configure Access Control

a. SNMP Host: Specify SNMP receiver host name.

b. SNMP Port: Specify SNMP receiver port name.

c. SNMP community: Specify SNMP community.

d. SNMP Oid: Specify SNMP Oid.

3. Click Save.

Configure Access ControlAccess Control configuration is used to set up new users or new roles and manageexisting users and roles. Each user can be assigned specific roles based on accessrequirements. To configure these options, navigate to Configure > Access Control.

This section contains the following topics:

l Manage Users and Roles

l Add a User

l Add a Role

Manage Users and RolesBy default, you will be directed to the Manage Users screen.

From here, you can add a user, or use the icons under the Actions column to performthe following actions:



Icon Action

Click this icon to change a user password.

Click this icon to edit the user name, first name, last name, and emailaddress, and to modify the user's roles.

Note: You cannot edit an admin user.

Click this icon to delete a user.

Add a UserTo add a user, do the following:

1. Click + Add User.

2. Provide the following User Details:



a. User Name

b. Password

c. Re-Enter Password

d. First Name

e. Last Name

f. Email

3. Click Next.

4. Check the box next to the Role Name you want the user to be added to.



5. Click Save.

Add a RoleTo add a role, do the following:

1. Click Manage Roles from the left side of the screen.

2. Enter the following Role Details:


Mask an Entity/Role

a. authority: Specify the authority name.

b. Description: Specify the description of the role.

3. Select items you want for the role and move them to the right side of the multi-select box.

Tip: To select multiple items at once, click and drag over the items you need.

4. Click Save.

Mask an Entity/RoleWith the Masking configuration, you can mask entity attributes and/or roles and maskall the attribute associated with the role.

To enable masking for an entity or role, do the following:

1. Navigate to Configure > Masking.

2. Set Masking to YES to enable masking.

3. Click an Entity or Role that you want to mask an attribute(s) for.


Mask an Entity/Role

A pop-up will display that allows you to select one or multiple attributes/roles tomask.


Add a Certificate

4. Select the attribute(s)/ role(s) you want to be masked, then click the right arrow.

5. Click Save when you are done with your selection.

Add a CertificateTo add a certificate, do the following:

1. Navigate to Configure > Certificates.

2. Click Add Certificate.

3. Provide the following Certificate Details:


Add a Certificate

a. Country: Specify the country name used for signing certs.

b. State: Specify the state name used for signing certs.

c. Location: Specify the location used for signing certs.

d. Organization: Specify the organization name used for signing certs.

e. Organization Unit: Specify the organizations unit name used for signing certs.

f. Common Name: Specify the common name used for signing certs


Configure Alerts

g. Cert Expire Days: Specify the signing certs expire date using numeric valuesonly.

h. Ca Key Password: Specify the password for ca keystores.

i. Tkey Password: Specify the password for creating/using tenant keys.

j. Tstore Password: Specify the tenant keystores.

4. Click Create server certs.

Configure AlertsSNYPR-EYE has three types of alerts, including:

l Ingestion: Ingestion alerts monitor any ingestion related statistics in the envir-onment. For example, a spike or drop in data ingestion and Spark applications.

l Environment: Environment alerts monitor the assets and Hadoop services,SNYPR application services, and configuration changes to the environment.

l Analytics: Analytics alerts monitor any spike or drop in violations, and policy con-figuration changes.

To configure alerts, navigate to Configure > Alerts. From this screen, you can sortand filter alert information to customize how you organize and view your data. Youcan filter a column of data to isolate the key components you need by clicking the AllTypes, All Frequencies, or All Criticalites drop-down. You can also sort your alertsalphabetically in ascending or descending order by clicking a column header.

The following columns display:


Appendix A

a. Name: Hover your cursor over the information icon, on the right side of an alertname, to view a description of an alert.

b. Type: Displays the type of alert.

c. Criticality: Adjust the slider to change the criticality for an alert.

d. Frequency: Use the drop-down to update the frequency for an alert. This attributeworks in sync with the alert frequency. For example, if the Frequency is set toMinute and the Interval is set to 5, this means the alert is checked and updatedevery 5 minutes.

e. Interval: Type a value to change the interval for an alert.

f. Threshold: Type a value to update the threshold for an alert.

g. Enable: Set to YES to enable an alert.

h. Web Notification: Set to YES to send Web notifications for an alert.

i. Email Notification: Set to YES to send email notifications for an alert.

j. Auto Resolve Email Notification: Set to YES to send email notifications for a good

or resolved alert notification. By default, this setting is disabled. If required, it can

be enabled.

Tip: Enable Auto-Resolved Email Notification only for critical alerts, otherwise you

will receive alerts for all system-resolved alerts. This feature is useful when the

SNYPR-EYE user interface (UI) is not used to monitor or manage alerts.

SNYPR-EYE has default alert configurations based on the recommended settings forall the alerts. For a complete list of default alerts, see Appendix A.

Appendix AThis appendix contains a list of pre-configured alerts for the environment, ingestion,and analytics.


Appendix A

EnvironmentThe following table lists and describes each of the available predefined environmentalerts:


Appendix A

Type Rule Description

Pre-setThr-esh-oldValu-e

Crit-ical-ity

Fre-que-ncy

Ou-t-of-th-e-boxSta-tus

Ser-viceMon-itoring

Java downJava ServiceHealth Status

0Hig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


MySql downMySQLSer-vice HealthStatus

0Hig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Ssh downSSH ServiceHealth Status

0Hig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Ntp downNtp ServiceHealth Status

0Hig-h

Minu-te

En-abl-ed

Redis downRedis Ser-vice HealthStatus

0Hig-h

Minu-te

En-abl-ed

Syslog downSyslog Ser-vice HealthStatus

0Hig-h

Minu-te

En-abl-ed

Apache downApache Ser-vice HealthStatus

0Hig-h

Minu-te

En-abl-ed

SNYPRapplication

SNYPRApplicationHealth Inform-ation

0Hig-h

Minu-te

En-abl-ed

RIN downRemoteIngesterHealth Status

0Hig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


DiskUsagein-formation

Disk util-ization

Disk Util-ization ForAn IntervalEx:Minute,Ho-ur,Day

80Med-ium

Minu-te

En-abl-ed

DiskUsagein-formation

Disk util-ization warn-ing

Disk Util-ization Warn-ing For AnIntervalEx:Minute,Ho-ur,Day

80Med-ium

Minu-te

Dis-abl-ed

MemoryUsag-einformation

Memory util-ization

Asset Util-ization CheckFor Interval

85Hig-h

Minu-te

En-abl-ed

MemoryUsag-einformation

Memory util-ization warn-ing

Memory Util-ization Warn-ing

80Med-ium

Minu-te

Dis-abl-ed

HeapUsageHeap util-ization

Asset Util-ization CheckFor Interval

90Hig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


hdfssize HDFS size

Solr DiskSize For AnIntervalEx:Minute,Ho-ur,Day

80Med-ium

Minu-te

En-abl-ed

readioDisk read IOslow

Disk Io ReadDisk For AnIntervalEx:Minute,Ho-ur,Day

700Hig-h

Minu-te

En-abl-ed

writeioDisk write IOslow

Disk Io WriteDisk For AnIntervalEx:Minute,Ho-ur,Day

700Hig-h

Minu-te

En-abl-ed

latencyio Disk latency

Disk IoLatecy For AnIntervalEx:Minute,Ho-ur,Day

700Hig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


cachewriteDisk cachewrite IO slow

Disk IoCache WriteFor An Inter-valEx:Minute,Ho-ur,Day

700Hig-h

Minu-te

En-abl-ed

bufferwriteDisk bufferwrite IO slow

Buffer WriteFor An Inter-valEx:Minute,Ho-ur,Day

700Hig-h

Minu-te

En-abl-ed

cpuutil

Cpu utilization

Cpu Util-izationHigher ThanThreshold

90Hig-h

Minu-te

En-abl-ed

Cpu utilizationwarning

Cpu Util-ization Warn-ing HigherThanThreshold

80Med-ium

Minu-te

Dis-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


HadoopSer-vice

Hbase servicehealth

Hbase Ser-vice Inform-ation

BADHig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


HDFS servicehealth

Hdfs ServiceInformation

BADHig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Hive servicehealth

Hive ServiceInformation

BADHig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Hue servicehealth

HuestatusServiceInformation

BADHig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Impala servicehealth

Impala Ser-vice Inform-ation

BADHig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Oozie servicehealth

Oozie Ser-vice Inform-ation

BADHig-h

Minu-te

En-abl-ed

Spark servicehealth

SparkstatusServiceInformation

NUL-L

Hig-h

Minu-te

En-abl-ed

Yarn servicehealth

Yarn ServiceInformation

BADHig-h

Minu-te

En-abl-ed

Zookeeper ser-vice health

Zoo-keeperstatusServiceInformation

nullHig-h

Minu-te

En-abl-ed

Kafka servicehealth

Kafka ServiceInformation

BADHig-h

Minu-te

En-abl-ed

Kafka zoo-keeper ser-vice health

Kafka ServiceInformation

nullHig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


CacheMemor-y

Cachememory util-ization

CacheMemory Util-izationHigher ThanThreshold

90Hig-h

Minu-te

En-abl-ed

SwapMemor-y

Swap memoryutilization

CacheMemory Util-izationHigher ThanThreshold

90Hig-h

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Compliance

Out of com-pliance fromrecommendedstandard:Impala data-base nameconfig

Impala Data-base NameConfigurationNot MatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Impala tableprefix config

Impala TablePrefix Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkaenrichedTopicconfig

KafkaEnrichedtopicConfigurationNot MatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkarawTopic con-fig

Kafka RawTopic Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka con-trolTopic con-fig

Kafka ControlTopic Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka count-sTopic config

Kafka CountsTopic Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkaopsTopic con-fig

Kafka OpsTopic Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka viol-ationTopicconfig

Kafka Viola-tion TopicConfigurationNot MatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka tier-2Topic config

Kafka Tier2Topic Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka index-erCountTopicconfig

Kafka IndexerCounts TopicConfigurationNot MatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka pre-viewTopic con-fig

Kafka Pre-view TopicConfigurationNot MatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkaaeeTopic con-fig

Kafka AeeTopic Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka user-Topic config

Kafka UserTopic Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkaaccessTopicconfig

Kafka AccessTopic Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: Solrcollectionname config

Solr Col-lection NameConfigurationNot MatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Default tenantname

Tenant NameFormat NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Hbasenamespace

HbaseNamespaceNot MatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:HDFS work-ing directory

Hdfs WorkingDirectory Con-figuration NotMatchingStandardComplianceValue

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solractivity col-lection rep-lication factor

Solr ActivityCollectionReplicationFactor higherthanthreshold

Grea-terthan1

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrviolation col-lection rep-lication factor

Solr ViolationCollectionReplicationFactor higherthanthreshold

Grea-terthan1

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrcontrolcorecollection rep-lication factor

Solr Con-trolcore Col-lectionReplicationFactor higherthanthreshold

Grea-terthan1

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrviolation con-trolcore col-lectionreplicationfactor

Solr ViolationControlcoreCollectionReplicationFactor higherthanthreshold

Grea-terthan1

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solractivity col-lection #shards

Solr ActivityCollectionallocatednumber ofShards out ofrange

Bet-wee-n 2-5

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrviolation col-lection #shards

Solr ViolationCollectionallocatednumber ofShards out ofrange

Bet-wee-n 2-5

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrcontrolcorecollection #shards

Solr Con-trolcore Col-lectionallocatednumber ofShards out ofrange

Bet-wee-n 2-5

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrviolation con-trolcore col-lection #shards

Solr ViolationControlcoreCollectionallocatednumber ofShards out ofrecom-mendedrange

Bet-wee-n 2-5

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrdaily-viol-ationsummarycollection rep-lication factor

Solr Daily-viol-ation-summaryCollectionReplicationFactor out ofrecom-mendedrange

Bet-wee-n 1-2

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrentity-metadata col-lectionreplicationfactor

Solr Entity-metadata Col-lectionReplicationFactor

Bet-wee-n 1-2

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrentityrelationcollection rep-lication factor

Solr Enti-tyrelation Col-lectionReplicationFactor

Bet-wee-n 1-2

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solripmapping col-lection rep-lication factor

Solr Ipmap-ping Col-lectionReplicationFactor

Bet-wee-n 1-2

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrlookup col-lection rep-lication factor

Solr LookupCollectionReplicationFactor

Bet-wee-n 1-2

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrtpi collectionreplicationfactor

Solr Tpi Col-lection Rep-licationFactor

Bet-wee-n 1-2

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrusers col-lection rep-lication factor

Solr UsersCollectionReplicationFactor

Bet-wee-n 1-2

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrwatchlist col-lection rep-lication factor

Solr WatchlistCollectionReplicationFactor

Bet-wee-n 1-2

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrwhitelist col-lection rep-lication factor

Solr WhitelistCollectionReplicationFactor

Bet-wee-n 1-2

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrriskscore col-lection rep-lication factor

SolrRiskscoreCollectionReplicationFactor

2 Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrdaily-viol-ationsummarycollection#shards

Solr Daily-viol-ation-summaryCollection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrentity-metadata col-lection#shards

Solr Entity-metadata Col-lection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrentityrelationcollection#shards

Solr Enti-tyrelation Col-lection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solripmapping col-lection#shards

Solr Ipmap-ping Col-lection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrlookup col-lection#shards

Solr LookupCollection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrtpi collection#shards

Solr Tpi Col-lection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrusers col-lection#shards

Solr UsersCollection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrwatchlist col-lection#shards

Solr WatchlistCollection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrwhitelist col-lection#shards

Solr WhitelistCollection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: solrriskscore col-lection#shards

SolrRiskscoreCollection#Shards

Bet-wee-n 1-3

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkaenrichedTopic#partitions

KafkaEnrichedtopic#Partitions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkarawTopic #par-titions

Kafka Raw-topic #Par-titions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka viol-ationTopic#partitions

Kafka Viola-tiontopic #Par-titions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkaaeeTopic #par-titions

Kafka Aee-topic #Par-titions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka tier-2Topic #par-titions

Kafka Tier-2Topic #Par-titions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka con-trolTopic #par-titions

Kafka Con-troltopic #Par-titions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka count-sTopic #par-titions

Kafka Count-stopic #Par-titions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkaopsTopic #par-titions

KafkaOpstopic#Partitions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka index-erCountTopic#partitions

Kafka Index-ercounttopic#Partitions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka pre-viewTopic#partitions

Kafka Pre-viewtopic#Partitions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka user-Topic #par-titions

KafkaUsertopic#Partitions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:KafkaaccessTopic#partitions

KafkaAccesstopic#Partitions



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka publishthreshold.

Kafka PublishThreshold.

200-00

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka lingerms config.

Kafka LingerMs Config.



Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka maxmessage sizeconfig.

Kafka MaxMessageSize Config.

104-857-60

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafka rawcompressionbatch size con-fig.

Kafka RawCompressionBatch SizeConfig.

100-0-2000

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard:Kafkaenriched com-pressionbatch size con-fig.

KafkaEnrichedCompressionBatch SizeConfig.

100-0-2000

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: SolrsoftEEOThres-hold config.

Solr Softeeo-thresholdConfig.

10M-100-M

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Out of com-pliance fromrecommendedstandard: SolrsoftVi-ola-tionThresholdconfig.

Solr Soft-viol-ation-thresholdConfig.

10M-100-M

Low DailyEn-abl-ed

Out of com-pliance fromrecommendedstandard: Solractiv-ityCol-lec-tionThresholdconfig.

Solr Activ-itycol-lec-tionthresholdConfig.


Out of com-pliance fromrecommendedstandard: SolrbatchSize con-fig.

Solr Batch-size Config.

500-2000

Low DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


ConfigRulesResourcegroup added

New Data-source AddedTo SNYPRApplication

ADD-ED

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Resourcegroup deleted

DatasourceDeleted FromSNYPRApplication

DEL-ETE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Resourcegroup configupdated

DatasourceConfigurationChanged

UPD-ATE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Resourceattributeadded

New Data-source Attrib-ute Added ToSNYPRApplication

ADD-ED

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Resourceattributedeleted

DatasourceAttributeDeleted FromSNYPRApplication

DEL-ETE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Resourceattributeupdated

DatasourceAttributeChanged

UPD-ATE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Policy added

New PolicyAdded ToSNYPRApplication

ADD-ED

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Policy deleted

PolicyDeleted FromSNYPRApplication

DEL-ETE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Policy configupdated

Policy Con-figurationsUpdated

UPD-ATE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Policy mightbe mis-configured

Policy Mis-configurationIdentified -Aee Viola-tions AreHigh

100-000

Med-ium

Minu-te

En-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Hadoop con-fig added

Hadoop Con-figurationAdded ForSNYPRApplication

ADD-ED

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Hadoop con-fig deleted

Hadoop Con-figurationDeleted

DEL-ETE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Hadoop con-fig updated

Hadoop Con-figurationChanged

UPD-ATE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Activity importconfig added

ActivityImport AddedFor SNYPRApplication

ADD-ED

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Activity importconfig deleted

ActivityImport Con-figurationDeleted

DEL-ETE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Activity importconfigupdated

ActivityImport Con-figurationChanged

UPD-ATE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Correlationrule added

New Cor-relation RuleAdded ForSNYPRApplication

ADD-ED

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Correlationrule deleted

CorrelationRule Con-figurationDeleted

DEL-ETE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Correlationrule updated

CorrelationRule Con-figurationChanged

UPD-ATE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Config cor-relation rulesadded

New ConfigCorrelationRule AddedFor SNYPRApplication

ADD-ED

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Config cor-relation rulesdeleted

Config Cor-relation RuleDeleted

DEL-ETE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Config cor-relation rulesupdated

Config Cor-relation RuleChanged

UPD-ATE-D

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Config sum-marizationadded

New ConfigSum-marizationAdded ForSNYPRApplication

ADD-ED

Med-ium

DailyEn-abl-ed


Appendix A



Crit-ical-ity

Fre-que-ncy


Config sum-marizationdeleted

Config Sum-marizationDeleted

DEL-ETE-D

Med-ium

DailyEn-abl-ed

Config sum-marizationupdated

Config Sum-marizationChanged

UPD-ATE-D

Med-ium

DailyEn-abl-ed

License configadded

New LicenseConfigurationAdded InSNYPRApplication

ADD-ED

Med-ium

DailyEn-abl-ed

License configdeleted

License Con-figurationDeleted

DEL-ETE-D

Med-ium

DailyEn-abl-ed

License configupdated

License Con-figurationChanged InSNYPR

UPD-ATE-D

Med-ium

DailyEn-abl-ed

IngestionThe following table lists and describes each of the available predefined ingestionalerts:


Appendix A

Type Rule Descrip-tion

PresetThresh-oldValue

Crit-icality

Fre-quency

Statu-s

Indexed

Drop inminute ten-antindexedper rg#rgId

EpsDroppedThanAvgepsFor AnInterval

0 Low MinuteEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Drop inhour ten-antindexedper rg#rgId


0Mediu-m

HourlyEnabl-ed

Drop indaily ten-antindexedper rg#rgId


0Mediu-m

DailyEnabl-ed

Hike intenantindexedevents perrg #rgId

Eps LessThanAvgepsFor AnInterval

0Mediu-m

MinuteEnabl-ed

Hike inhourlyindexedper rg#rgId


0Mediu-m

HourlyEnabl-ed

Hike indailyindexedper rg#rgId


0Mediu-m

DailyEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Ingested

Drop indaily ten-ant inges-ted per rg#rgId


0Mediu-m

DailyEnabl-ed

Hike iningestedper rg#rgId


0Mediu-m

MinuteEnabl-ed

Hike inhourlyingestedper rg#rgId


0Mediu-m

HourlyEnabl-ed

Hike indailyingestedper rg#rgId


0Mediu-m

DailyEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Parsed

Drop indaily ten-ant parsedper rg#rgId


0Mediu-m

DailyEnabl-ed

Hike inparsed perrg #rgId


0Mediu-m

MinuteEnabl-ed

Hike inhourlyparsed perrg #rgId


0Mediu-m

HourlyEnabl-ed

Hike indailyparsed perrg #rgId


0Mediu-m

DailyEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Pub-lished

Drop indaily ten-ant pub-lished perrg #rgId


0Mediu-m

DailyEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Data-sourcepublishingeventssilent forrg #rgId

Data-sourceSilentEps NotUpdatedIn LastHour

0 High MinuteEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

PublishedEPSvolumehigherthanlicensedEPS

CurrentEpsHigherThanLicensedEps

License-d EPS

High HourlyEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Hike inpublishedper rg#rgId


0Mediu-m

MinuteEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Hike inhourly pub-lished perrg #rgId


0Mediu-m

HourlyEnabl-ed

Hike indaily pub-lished perrg #rgId


0Mediu-m

DailyEnabl-ed

EPD pub-lishedcount#rgIdexceededlimit

EventsIndexedIs HigherThanThreshol-d

500000-0

High DailyEnabl-ed

Data-source notpublishingfor rg#rgId

Data-source IsNot Pub-lishingFromLastHour

NULL High HourlyDis-abled


Appendix A



Crit-icality

Fre-quency

Statu-s

SparkRu-les

#Activespark appbatcheshigh

No. OfSparkAppBatchesExceedThreshol-d

50Mediu-m

MinuteEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Spark appbatch pro-cess timehigh


30 minMediu-m

MinuteEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Spark appdown

SparkApp JobKilled OrFailed

appStat-us:killed/-failed

Mediu-m

HourlyEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Spark appbatcheshigh -Policy_Engine_AEE/IEE



Spark appbatcheshigh -Event_Enrich-ment



Spark appbatcheshigh -Event_Indexer



Spark appbatcheshigh -ThreatMo-del_RiskS-coring_App




Appendix A



Crit-icality

Fre-quency

Statu-s

DeviceA-lert

Devicelevel alertfor rg#rgId

SNYPRNodeDevice IsNotReport-ing

Mediu-m

HourlyDis-abled

AnalyticsThe following table lists and describes each of the available predefined analyticsalerts:


Appendix A


PresetThresholdValue

Crit-icality

Fre-quency

Statu-s

Viola-tion

Dropinminut-e ten-antviol-ationper rg#rgId

CurrentViolationLessThan75% OfAvg Viola-tions

0Mediu-m

MinuteEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Dropinhourtenantviol-ationper rg#rgId


0Mediu-m

HourlyEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

Dropindailytenantviol-ationper rg#rgId


0Mediu-m

DailyEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

#Even-tsdropp-edhigh#rgId

IfDroppedEvents >50% OfTotalEvents

1.5 * event-sProcessed

High MinuteEnabl-ed


Appendix A



Crit-icality

Fre-quency

Statu-s

#Even-tsinvalidhigh#rgId

SNYPRInvalidEventsCount50%GreaterThan Pro-cessedCount

1.5 * event-sProcessed

High MinuteEnabl-ed

Hikein viol-ationper rg#rgId

Hike InViola-tionsMoreThan AvgFor Min

0Mediu-m

MinuteEnabl-ed

Hikeinhourlyviol-ationper rg#rgId


0Mediu-m

HourlyEnabl-ed

Hikeindailyviol-ationeventsper rg#rgId


0Mediu-m

DailyEnabl-ed


Date post:	14-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times