Alerting: Troubleshoot Automated Threat Detection

Document created by RSA Information Design and Development Employee on Apr 22, 2016
Version 1Show Document
  • View in full screen mode

Automated Threat Detection is an analytics engine that examines your HTTP data. It also makes use of other components, such as a WhoIs service and the Context Hub, which can add complexity to your installation. This topic provides suggestions to help you find issues if your Automated Threat Detection deployment does not provide the results you expect.

When you troubleshoot Automated Threat Detection, it is important to factor in the mode used. If mixed mode is used (Automated Threat Detection enabled on the same machine as ESA Rules, or Context Hub), you'll need to consider the memory usage and i/o of these applications when troubleshooting. Generally, when mixed mode installation is configured, Automated Threat Detection is enabled to use approximately fifty percent of the memory available, whereas ESA Rules memory usage is unbounded. Therefore, you may want to check your ESA Rules as a first step when troubleshooting in mixed mode. 

If you are using mixed mode, you should also consider whether the ESA is configured for Memory Pool or Event Time Ordering. Memory Pool can impact performance, while Event time ordering can impact performance and memory usage. 

Possible Issues

ProblemPossible CausesSolutions
I'm seeing too many alerts (false positives).Several

One possible cause is that the Whois lookup is failing or is not configured. The Whois lookup is helpful in determining whether a URL is valid, and if the connection fails or is not properly configured, it can result in false positives.

There are a number of counters for the Whois Lookup service you can view. 

  1. From Administration > Services,  select your ESA service and then ic-actns.png > View > Explore. 
  2. In the Explorer, click Service > Whois > whoisClient.

Below are a few useful counters to check:

  • FailedLookupCount: Whenever a request to the RSA Whois Service for Whois data fails, this count is incremented.
  • LookupEnqueueFailureCount: This counts any failed attempts to add an entry to the cache.  These failures will be due to errors internal to the cache.
  • Response401Count: This counts the requests to the RSA Whois Server that failed with a status code of 401.  Requests with expired authentication tokens are included in this count. This count is included in FailedLookupCount.
  You may need to whitelist URLs. Sometimes the legitimate behavior for a URL triggers an alert. One way to prevent this from occurring is to add the URL to the whitelist. For instructions on doing this, see "Reduce False Positives" in Work with Automated Threat Detection Results.
I'm not seeing any alerts.The ESA requires a "warm-up" period of 24 hours when you enable Automated Threat Detection. When you enable Automated Threat Detection, there is a "warm-up" period, during which no alerts are viewable. The default time period is 24 hours. After this 24 hour learning period, alerts can be viewed. If the ESA restarts, this learning period starts over, so the 24 hour waiting period is reset.
I'm seeing performance issues (more resource usage or a drop in throughput).SeveralIf you are having performance issues on an ESA that is also running ESA rules, follow the troubleshooting steps for rules. ESA rules are unbounded, whereas Automated Threat Detection is configured to use a specified amount of resources (usually approximately 50%). For these troubleshooting steps, go to Troubleshoot ESA.
You are here: Use Automated Threat Detection > Troubleshoot Automated Threat Detection