Attack Detection Alerts - RUM

Attack Detection via RUM detects all data sent by the browser when end users browse a website, including data from browser plugins and extensions.

For example, an end user might have a browser extension installed such as Honey to give them information about coupons available to use on websites. Each time they navigate to a website, the extension will inject code into the website to contact their services about any relevant coupons that could be used to purchase goods at discounted price. Unfortunately the requests to these hosts are recorded with all other requests, so it’s not possible to distinguish from legitimate requests made by the website.

To avoid alerts for untrusted hosts loaded by the end user and not loaded by your website, we allow you to configure settings to reduce the noise.

Real User Request Filter

This is used to filter out false positives and noise by only displaying untrusted hosts that are seen by a percentage of page views. In the example above of a host from a browser extension, not many individuals will have the same browser extensions install, so the actual number of requests to the same untrusted host will likely be low.

For example:

100 page views are made to a website page.

2 page views come from browsers with an extension that sends traffic to an untrusted host.

This means only 2% of page views made a request to the untrusted host.

If you set the filter to 10%, you will not be notified of the new untrusted host as the 2% of page views falls below the 10% filter.

If another untrusted host is detected on 80 page views (out of 100), it means that 80% of page views sent requests to an untrusted host. You will be alerted to this.

The filter can be adjusted from the Attack Detection Settings:

Rule Interval

When calculating the number of page views to a Protected Page and the number of page views that made a request to an untrusted host, we need to know what time frame to use. The Rule Interval will determine how far back we look when generating these values. For example, if this is set to 3 hours, we will count how many page views were made in the last 3 hours.

The higher the value, the more data there will be to compare page views and page views to untrusted hosts.

Reducing False Positives

We would recommend tweaking the values of the filter and the Rule Interval if you find that you are receiving alerts to untrusted hosts that you believe do not originate from your website.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Categories