Windowing in Alerts
Windowing in Alerts provides a solution for creating custom policies to monitor user activity within a given time period at a set threshold. For example, you may want to be alerted when users fail to login to their account more than 5 times within a 30 minute window outside of your company’s IP address. This could be a tell-tale sign that their account is compromised.
Currently, Windowing is available in Activity-based Alerts for Box, Dropbox, Google, Salesforce, and Okta. More integrations and alert types will be added in the future. To use Windowing in your Alerts, please navigate to the Alerts Manager section and select an Activity-based Alert template.
Setting the Window and Threshold
Selecting “After a threshold is exceeded within a given time period” within the Alert will allow you to set the threshold and window. There is a minimum requirement of more than 2 events for a single user. If you would like to know about less than 2 events, we suggest setting a threshold without a Window.
How does Windowing work?
BetterCloud will monitor events that meet the alert conditions within the configured time period. Below, we have added an example to help illustrate how windowing functions. Here, we will be watching for failed admin login events from Box that occur more than 5 times for a single user within a one hour window.
- Windowing is also a great solution for monitoring higher threshold events. The maximum number of events that can be used in your configurations is 1000.
Here is a step by step explanation:
- At 6am, we detected 1 login event and will therefore continue to look for more events within the one hour window
- By 6:40am, we received a total of 4 login events and are continuing to look for one more event within the 1 hour window to consider this user in violation of the Alert
- At 6:50am, we received the 5th login event and there will now be results that show up “In Progress” on the Triggered Alerts page. We will continue to look for another event one hour into the future to see if it continues to match the pattern.
- Since there is another login event at 7:15am the window stays open because this event still falls in the one hour window from the last event we received. The window will continue to stay open until we no longer see a login event for over an hour. Since the last login event we received was at 7:15am and we did not receive another by 8:15am, the window is closed. Once the window is closed we will begin to look for new events again in a separate window.
You can view the Alert results by clicking the Alert on the Triggered Alerts page. If a window is currently open, you will see “In Progress” under the Window column along with the time the window was opened. You will also see a + sign under the “Total Window Length” and “Final Count” columns since the window is still open and we are still waiting to calculate the final counts.
Clicking the “Window” link will allow you to view all of the events that matched the Alert’s criteria within the window.