I'm very excited to announce support for automated anomaly investigation within ExtraHop's Addy service. We released Addy in April 2017 and we've regularly added new types of anomaly detection to the service. Today, however, we are releasing an entirely new way of helping you investigate anomalies in your environment.
Before We Dig-In, What is Addy?
Addy, an intelligence augmentation system, is a software as a service (SaaS) offering that observes and analyzes all digital interactions and applies machine learning to detect IT performance and security anomalies. Addy uses time series metrics from an ExtraHop Discover appliance to proactively detect and surface potential performance and security issues in your environment. You can read more about Addy here.
Now Back to Our Feature Presentation
If you're familiar with IT Ops or Network Performance Monitoring, then you're likely used to having to dig through various tool UIs, app and service logs, and internal support tickets to determine why something is going wrong. However, Addy lets you know when a device or application in your network begins to act abnormally. Addy helps you move from being reactive to being proactive.
Before we dig into what Addy's automated investigation is, let's look at where we started. When we first released Addy in April, we displayed the top-level metrics that were associated with the anomaly. The following image shows an example.
In this overview, we can see that Addy has identified an issue with the Name-of-Device device. (Actual device name changed to protect the innocent.) The anomaly's detail includes the metric, SSH sessions, a concise description of the detected anomaly, and the count and percentage of the variance of the value that resulted in Addy finding the anomaly. (Addy's algorithms often use multiple metrics to identify an anomaly, but surface the most important metric to you.)
From there, you can click the anomaly's title to get right to the device or application associated with the anomaly.
Addy takes you right to the correct protocol section of the application or device, too.
From there, you can click the 4,991 sessions value in the Total Sessions widget to drill-down to the lower-level metrics to see the underlying cause of the anomaly. In this case, we've clicked Client so that we can see the clients connecting to the Name-of-Device server using the SSH protocol.
And here we see the client IP addresses and their hostnames. (I've censored those values from the screenshot to protect those not yet proven guilty.) To determine which clients have contributed to the anomaly, you then must click on each device and see whether it aligns to the sparkline spike that was identified in the anomaly's overview.
But what if you didn't have do all of those steps to drill-down and discover what those detail metrics are and exactly which devices contributed to the anomaly?
Enter our new Addy feature: automated investigation. Starting today, Addy surfaces detail metrics right within an anomaly's description.
Bam! All of the key details that you need to investigate this SSH anomaly are right there in the overview. (SSH is just one of the many types of anomalies that we now surface automated investigation for in the ExtraHop platform.) The overview of this SSH anomaly now shows the following detail metrics: the list of clients using SSH to connect to the server (showing their IP addresses and hostnames), the implementation of SSH they are using to connect, and the percentage of the total value that each client contributed to the overall SSH anomaly.
A workflow that previously required 5-10 clicks to get all of these detail metrics is now optimized to help you automatically investigate the underlying cause. Addy is able to streamline this workflow by using improved machine learning capabilities to intelligently identify the drill-down metrics that correspond to the identified anomaly. In short, we're not just surfacing the largest value associated with the anomaly.
If you're a current Addy customer, starting today, Addy will perform automated investigation for anomalies detected on a Discover appliance running firmware version 6.2.6 or higher. This new functionality applies to the majority of all anomalies that Addy detects, except those that analyze latency. We plan to add automated investigation support for latency-based anomalies in the near future.
If you're not running 7.0, I really suggest you try it. Live activity maps, which show devices talking to each other in your network--and even the protocols they're using, all in real-time, are just one reason to update.
Don't have ExtraHop or Addy yet? Check out our interactive online demo to see the awesomeness in action. After you fill out the signup form, you'll get to immediately use the real product with sample data and Addy anomalies. We've even authored scenarios for you to walk through.
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2017/announcing-addy-automated-investigation/