Pamela Dragosh | 91d04c6 | 2017-02-14 19:41:00 -0500 | [diff] [blame] | 1 | [ |
| 2 | { |
| 3 | "serviceTypePolicyName": "Registration Failure(Trinity)", |
| 4 | "verticaMetrics": "DATETIMEUTC\n VNFC_NAME\n BW_SIP_STATS_REGISTER_RESPONSE_CODE_VALUE \nBW_SIP_STATS_REGISTER_RESPONSE_INS \n BW_SIP_STATS_REGISTER_RESPONSE_OUTS", |
| 5 | "attributes": { |
| 6 | "Onset&abatement anomaly detection": { |
| 7 | "PtileLimit": "Percentile value used by anomaly detection model", |
| 8 | "Threshold": "initial value for the quantile at percentile(PtileLimit) used by the anomaly detection model", |
| 9 | "Window": "Number of weeks anomaly detection model keeps in memory to estimate Threshold", |
| 10 | "Training": "Number of historical weeks anomaly detection model needs for training ", |
| 11 | "FractionSamplePerDay": "This corresponds to the minimum number of samples per day to be used in the daily percentile computation when updating the distribution tail crossing model. When there are less samples than that threshold, the model is not updated with these samples. " |
| 12 | }, |
| 13 | "Onset signature trigger": { |
| 14 | "ConsecutiveIntervalOnset": "Number of consecutive intervals normalized metric must trigger the anomaly detection model before resulting in an action", |
| 15 | "RetryTimer": "Minimum interval between policy triggers" |
| 16 | }, |
| 17 | "Abatement signature trigger": { |
| 18 | "ConsecutiveIntervalAbatement": "Number of consecutive intervals normalized metric does not trigger the anomaly detection model after onset signature was triggered" |
| 19 | }, |
| 20 | "Onset & abatement UEB notification": { |
| 21 | "OnsetMessage": "Value of field OnSetMessage sent by Analytics Engine published on UEB", |
| 22 | "AbatementMessage": "Value of field AbatementMessage sent by Analytics Engine published on UEB", |
| 23 | "PolicyName": "Value of field PolicyName sent by Analytics Engine published on UEB" |
| 24 | } |
| 25 | }, |
| 26 | "policyDescription": "Policy to detect instances where SIP registration rate exceeds a normal level over a number of consecutive sampling periods. \n Notes \n (1) Vertica metrics normalized and combined in a SIP registration failure probability per Site and per VM. \n (2) Anomaly detection model operates on SIP registration failure probability. \n (3) Anomaly detection consists of an estimated distribution percentile threshold crossing. \n (4) Actions: Send email and/or UEB notification" |
| 27 | }, |
| 28 | { |
| 29 | "serviceTypePolicyName": "International Fraud(Trinity)", |
| 30 | "verticaMetrics": "INTERVAL_START_TS\n CUSTOMER\n A_SITE\n A_SBG\n BW\n Z_COUNTRY\n CALL_COUNT\n MINUTES_OF_USE", |
| 31 | "attributes": { |
| 32 | "Onset&abatement anomaly detection": { |
| 33 | "PtileLimit": "Percentile value used by anomaly detection model", |
| 34 | "Threshold": "initial value for the quantile at percentile(PtileLimit) used by the anomaly detection model", |
| 35 | "Window": "Number of weeks anomaly detection model keeps in memory to estimate Threshold", |
| 36 | "Training": "Number of historical weeks anomaly detection model needs for training ", |
| 37 | "FractionSamplePerDay": "This corresponds to the minimum number of samples per day to be used in the daily percentile computation when updating the distribution tail crossing model. When there are less samples than that threshold, the model is not updated with these samples. " |
| 38 | }, |
| 39 | "Onset signature trigger": { |
| 40 | "ConsecutiveIntervalOnset": "Number of consecutive intervals normalized metric must trigger the anomaly detection model before resulting in an action", |
| 41 | "RetryTimer": "Minimum interval between policy triggers" |
| 42 | }, |
| 43 | "Abatement signature trigger": { |
| 44 | "ConsecutiveIntervalAbatement": "Number of consecutive intervals normalized metric does not trigger the anomaly detection model after onset signature was triggered" |
| 45 | }, |
| 46 | "Onset & abatement UEB notification ": { |
| 47 | "OnsetMessage": "Value of field OnSetMessage sent by Analytics Engine published on UEB", |
| 48 | "AbatementMessage": "Value of field AbatementMessage sent by Analytics Engine published on UEB", |
| 49 | "PolicyName": "Value of field PolicyName sent by Analytics Engine published on UEB" |
| 50 | } |
| 51 | }, |
| 52 | "policyDescription": "Policy to detect instances where count of calls towards an international destination exceeds a normal level over a number of consecutive sampling periods. \n Notes \n (1) Vertica metrics normalized and combined in a SIP registration failure probability per Customer, per Site and per VM. \n (2) Anomaly detection model operates on counts towards an international destination. \n (3) Anomaly detection consists of an estimated distribution percentile threshold crossing. \n (4) Actions: Send email and/or UEB notification" |
| 53 | }, |
| 54 | { |
| 55 | "serviceTypePolicyName": "No dial tone(Trinity)", |
| 56 | "verticaMetrics": "INTERVAL_START_TS\n SUM(CALLS_ATTEMPTED)\n SUM(NO_ANSWER_OR_VOICE_MAIL)\n A_SITE or A_SBG or BW or CUSTOMER", |
| 57 | "attributes": { |
| 58 | "Onset&abatement anomaly detection": { |
| 59 | "PtileLimit": "Percentile value used by anomaly detection model", |
| 60 | "Threshold": "initial value for the quantile at percentile(PtileLimit) used by the anomaly detection model", |
| 61 | "Window": "Number of weeks anomaly detection model keeps in memory to estimate Threshold", |
| 62 | "Training": "Number of historical weeks anomaly detection model needs for training ", |
| 63 | "FractionSamplePerDay": "This corresponds to the minimum number of samples per day to be used in the daily percentile computation when updating the distribution tail crossing model. When there are less samples than that threshold, the model is not updated with these samples. " |
| 64 | }, |
| 65 | "Onset signature trigger": { |
| 66 | "ConsecutiveIntervalOnset": "Number of consecutive intervals normalized metric must trigger the anomaly detection model before resulting in an action", |
| 67 | "RetryTimer": "Minimum interval between policy triggers" |
| 68 | }, |
| 69 | "Abatement signature trigger": { |
| 70 | "ConsecutiveIntervalAbatement": "Number of consecutive intervals normalized metric does not trigger the anomaly detection model after onset signature was triggered" |
| 71 | }, |
| 72 | "Onset & abatement UEB notification ": { |
| 73 | "OnsetMessage": "Value of field OnSetMessage sent by Analytics Engine published on UEB", |
| 74 | "AbatementMessage": "Value of field AbatementMessage sent by Analytics Engine published on UEB", |
| 75 | "PolicyName": "Value of field PolicyName sent by Analytics Engine published on UEB" |
| 76 | } |
| 77 | }, |
| 78 | "policyDescription": "Policy to detect ? \n Notes:\n (1) Actions: Send email and/or UEB notification" |
| 79 | }, |
| 80 | { |
| 81 | "serviceTypePolicyName": "Call storm(Trinity)", |
| 82 | "verticaMetrics": "", |
| 83 | "attributes": { |
| 84 | "Onset&abatement anomaly detection": { |
| 85 | "SeasonLength": "Metric seasonality (5min sampling period with 7 days seasonality: 7*288) used by Holt-Winters model", |
| 86 | "TrainLength": "Training length (5min sampling period with 7 days seasonality and 5 cycles training: 7*288*5) used by Holt-Winters", |
| 87 | "Alpha": "Smoothing parameter (range 0-1, default 0.2)", |
| 88 | "Beta": "Trend parameter (range 0-1, default 0) ", |
| 89 | "Gamma": "Seasonality (range 0-1, default 0.05)", |
| 90 | "Deviation Threshold": "Approximately a limit on the factor by how much current value has deviated compared to expected variance" |
| 91 | }, |
| 92 | "Onset signature trigger": { |
| 93 | "RetryTimer": "Minimum interval between policy triggers" |
| 94 | }, |
| 95 | "Abatement signature trigger": { |
| 96 | "Hw-Timeout": "Maximum time for an HealthCheck response (measured from the time a positive App-C response was received)", |
| 97 | "OnSetMessage": "Value of field Message sent by Analytics Engine published on UEB " |
| 98 | }, |
| 99 | "Onset & abatement UEB notification ": { |
| 100 | "AbatementMessage": "Value of field AbatementMessage sent by Analytics Engine published on UEB", |
| 101 | "PolicyName": "Value of field PolicyName sent by Analytics Engine published on UEB" |
| 102 | } |
| 103 | }, |
| 104 | "policyDescription": "Policy to detect instances where count of Formatted table ? exceeds a predicted level. \n Notes \n (1) Vertica metrics normalized and combined in ? per Customer, per Site and per VM. \n (2) Anomaly detection model operates on ? \n (3) Anomaly detection consists of detecting deviations from Holt-Winters predictions. \n (4) Actions: Send email and/or UEB notification" |
| 105 | }, |
| 106 | { |
| 107 | "serviceTypePolicyName": "Registration storm(Trinity)", |
| 108 | "verticaMetrics": "", |
| 109 | "attributes": { |
| 110 | "Onset&abatement anomaly detection": { |
| 111 | "SeasonLength": "Metric seasonality (5min sampling period with 7 days seasonality: 7*288) used by Holt-Winters model", |
| 112 | "TrainLength": "Training length (5min sampling period with 7 days seasonality and 5 cycles training: 7*288*5) used by Holt-Winters", |
| 113 | "Alpha": "Smoothing parameter (range 0-1, default 0.2)", |
| 114 | "Beta": "Trend parameter (range 0-1, default 0) ", |
| 115 | "Gamma": "Seasonality (range 0-1, default 0.05)", |
| 116 | "Deviation Threshold": "Approximately a limit on the factor by how much current value has deviated compared to expected variance" |
| 117 | }, |
| 118 | "Onset signature trigger": { |
| 119 | "RetryTimer": "Minimum interval between policy triggers" |
| 120 | }, |
| 121 | "Abatement signature trigger": { |
| 122 | "Hw-Timeout": "Maximum time for an HealthCheck response (measured from the time a positive App-C response was received)", |
| 123 | "OnSetMessage": "Value of field Message sent by Analytics Engine published on UEB " |
| 124 | }, |
| 125 | "Onset & abatement UEB notification ": { |
| 126 | "AbatementMessage": "Value of field AbatementMessage sent by Analytics Engine published on UEB", |
| 127 | "PolicyName": "Value of field PolicyName sent by Analytics Engine published on UEB" |
| 128 | } |
| 129 | }, |
| 130 | "policyDescription": "Policy to detect instances where count of Formatted table ? exceeds a predicted level. \n Notes \n (1) Vertica metrics normalized and combined in ? per Customer, per Site and per VM. \n (2) Anomaly detection model operates on ? \n (3) Anomaly detection consists of detecting deviations from Holt-Winters predictions. \n (4) Actions: Send email and/or UEB notification" |
| 131 | } |
| 132 | ] |