Attack Detection via RUM detects all data sent by the browser when end users browse a website, including data from browser plugins and extensions.
For example, an end user might have a browser extension installed such as Honey to give them information about coupons available to use on websites. Each time they navigate to a website, the extension will inject code into the website to contact their services about any relevant coupons that could be used to purchase goods at discounted price. Unfortunately the requests to these hosts are recorded with all other request, so it’s not possible to distinguish from legitimate requests made by the website.
To avoid alerts for untrusted hosts loaded by the end user and not loaded by your website, we allow you to configure settings to reduce the noise.
Real User Request Filter
This is used to filter out false positives and noise by only displaying untrusted hosts that are seen by a percentage of page views. In the example above of a host from a browser extension, not many individuals will have the same browser extensions install, so the actual number of requests to the same untrusted host will likely be low.
100 page views are made to a website page.
2 page views come from browsers with an extension that sends traffic to an untrusted host.
This means only 2% of page views made a request to the untrusted host.
If you set the filter to 10%, you will not be notified of the new untrusted host as the 2% of page views falls below the 10% filter.
If another untrusted host is detected on 80 page views (out of 100), it means that 80% of page views sent requests to an untrusted host. You will be alerted to this.
The filter can be adjusted from the Attack Detection Settings:
When calculating the number of page views to a Protected Page and the number of page views that made a request to an untrusted host, we need to know what time frame to use. The Rule Interval will determine how far back we look when generating these values. For example, if this is set to 3 hours, we will count how many page views were made in the last 3 hours.
The higher the value, the more data there will be to compare page views and page views to untrusted hosts.
The Rule Interval can be set on individual Security Alert Rules:
Reducing False Positives
We would recommend tweaking the values of the filter and the Rule Interval if you find that you are receiving alerts to untrusted hosts that you believe do not originate from your website.