Back to Knowledgebase

Categories

Account & Billing

Getting Started

Performance Monitoring

Alerts & Notifications

Uptime Monitoring

Security Monitoring

Synthetic User Journey Monitoring

Assurance and Search

Attack Detection Alerts – RUM

Attack Detection via RUM detects all data sent by the browser when end users browse a website, including data from browser plugins and extensions.

For example, an end user might have a browser extension installed such as Honey to give them information about coupons available to use on websites. Each time they navigate to a website, the extension will inject code into the website to contact their services about any relevant coupons that could be used to purchase goods at discounted price. Unfortunately the requests to these hosts are recorded with all other request, so it’s not possible to distinguish from legitimate requests made by the website.

To avoid alerts for untrusted hosts loaded by the end user and not loaded by your website, we allow you to configure settings to reduce the noise.

Real User Request Filter

This is used to filter out false positives and noise by only displaying untrusted hosts that are seen by a percentage of page views. In the example above of a host from a browser extension, not many individuals will have the same browser extensions install, so the actual number of requests to the same untrusted host will likely be low.

For example:

100 page views are made to a website page.

2 page views come from browsers with an extension that sends traffic to an untrusted host.

This means only 2% of page views made a request to the untrusted host.

If you set the filter to 10%, you will not be notified of the new untrusted host as the 2% of page views falls below the 10% filter.

If another untrusted host is detected on 80 page views (out of 100), it means that 80% of page views sent requests to an untrusted host. You will be alerted to this.

The filter can be adjusted from the Attack Detection Settings:

Rule Interval

When calculating the number of page views to a Protected Page and the number of page views that made a request to an untrusted host, we need to know what time frame to use. The Rule Interval will determine how far back we look when generating these values. For example, if this is set to 3 hours, we will count how many page views were made in the last 3 hours.

The higher the value, the more data there will be to compare page views and page views to untrusted hosts.

The Rule Interval can be set on individual Security Alert Rules:

Reducing False Positives

We would recommend tweaking the values of the filter and the Rule Interval if you find that you are receiving alerts to untrusted hosts that you believe do not originate from your website.

Ready To Get Started?

Try our 30-day FREE trial period, and we’ll help you get the most from your account. Be online in minutes; trials expire automatically; no credit card required – discounts for annual payments