Attack Detection Filtering Explained
Your Attack Detection dashboard shows you statistics and a list of Pending Hosts, determined by the “Time Period” option at the very top of the page.
The default is 30 days.
We will show a list of all hosts found within the time period, depending on two conditions:
- Hosts must be “pending” – i.e. they haven’t been added to your safe list.
- If you have Real User Monitoring active on your site, and you have set a filter, then the host will only appear if it exceeds the filter setting.
How does the Filter work?
We record each time a user visits your page for a count of total page views. We also record each time an pending host is present on your pages, which we call Pending page views.
Some hosts are not present every time a page loads – they appear and disappear depending on a number of factors, so not all page views will encounter the host. (For examples, see below.)
If you have a total of 100 page visits, you might have only 25 visits where the host appears. We would then say this host has appeared 25% of the time (25/100).
The Filter is used to hide hosts that have appeared infrequently. Therefore you can use the filter to remove rarely seen hosts that only affect a small percentage of your traffic.
Setting the Filter to 25%, for example, will remove any hosts that have appeared fewer than 25% of your total page views.
When the Filter is active, it is applied to the current time period shown on your dashboard. When you are set to 30 days, you will see 30 days worth of total page views.
When set to 1 day, you’ll only see that day’s page traffic. It’s likely your 1 day traffic is much lower, and therefore it is much more likely that hosts will be higher than your filter.
For example: over 30 days, your checkout might have 300 visits. In just 1 day, it might receive only 10 visits. If your filter is set to 20%, it would only take 2 visits to reach the required level to appear.
Why do some hosts appear infrequently?
Your website likely doesn’t load the same for all visitors. Therefore hosts will appear to some but not all your traffic. Reasons for this may include: A/B testing, ad services rotating ads, third parties updating their CDNs and other providers to use new files and locations, services varying their content depending on user demographics (location, device).
RapidSpike Real User Monitoring is extremely sensitive to data being sent by users on your website and therefore as a side-effect of this process, is able to detect data sent by browser plugins and extensions.
For example, a user might have a browser extension installed: each time they navigate a website, the extension injects code into the website. RapidSpike records these hosts with all other requests.
The primary reason for the Filter option is to try and reduce the noise that these “false positives” might cause, because they do not represent a threat to your site.