Activate high and/or low volume monitoring for a business unit or an account

Introduction

Monitoring your transfer activity can help detect when the amount of transfers is abnormally low or high considering the activity that is usually observed over the past period. You can use baselines for that specific purpose as it enables you to calculate the average transfer activity over a day period, then evaluate the current activity against the day period with a certain level of deviation.

Evaluation type concepts

By default, business units and accounts are not configured to perform such evaluations, although the baseline is visible in multiple dashboards. 

Activating high/low volume monitoring evaluation does make sense when the business unit or the account has an activity that follows the same pattern from one day to another. 

Depending on the business unit or the account considered, the amount of activity is:

  • Abnormally low – A risk is detected when the activity goes below a certain threshold. A low volume of activity can be a signal that the user might experience some issues in initiating transfers, or that the file transfer system is not available due to some technical reasons.
  • Abnormally high – A risk is detected when the activity goes above a certain threshold. Unexpected high volumes can help detect abnormal/suspicious behavior from the user account. Very high volumes can also present a risk of negative impacts on the overall file transfer system performance.
  • Abnormally high or low – a combination of the two cases mentioned above.

From the resulting computed baseline, a specific level of deviation is used to set an evaluation type. 

To detect a risk, apply a probability level to determine how far the current activity deviates from what is usually observed. The configuration of this probability level is handled with dispersion multiplier that is preset for each evaluation type and that you can be adjust subsequently if required. The lower the probability level is, the higher the dispersion multiplier will be.

Dispersion multipliers are set to determine three areas of risks – Normal, Warning and Critical.

To support all  these use cases, seven different evaluation types have been preconfigured to support three threshold types in combination with two probability levels.

Code Evaluation type Thresholds type Probability level/dispersion multiplier
HV-LP High volume - Low probability level High Low
LV-LP Low volume - Low probability level Low Low
HLV-LP High/Low volume - Low probability level High and Low Low
HV-HP High volume - High probability level High High
LV-HP Low volume - High probability level Low High
HLV-HP High/Low volume - High probability level High and Low High
NONE No evaluation None None

High/Low volume evaluation can be applied at global, business unit, and account levels.

When an account requires a specific high/low volume monitoring, it is considered a Watched account and is expected to have quite a pattern of activity over the day period.can

Configure global / account / business unit activity monitoring

Evaluation type configuration can be done through a configuration dashboard, APIs, and additional data integration tools such as resources and routes. 

Configuration dashboard

In the top area of the screen, you can configure the evaluation method to apply at global/business unit/account level. You can either deactivate an evaluation from the lists, or activate an evaluation. Just use the links towards the Swagger interface and then call the API with the corresponding parameters as described in the next section.

There could be a 1-2 minutes lag between the data removal and the effective change onscreen.


Configuration APIs

Create a watched account

The watched account should be created from creationTime.

HTTP Method URL
POST <base_url>/ws-doc#!/absorb/07_ST_Configuration_02_CreateWatchedAccount

In-line parameters

Name Description

WatchedAccount

Account identifier.
EvaluationType Evaluation type code as listed in the reference table.
creationTime Start time from which the evaluation type should be applied.

Sample request body

{
  "WatchedAccount": "charles",
  "EvaluationType": "HV-LP",
  "creationTime": "2017-12-01T00:00:00.000+01:00"
}

Remove watched account

Removal will take effect at instant.

HTTP Method URL
POST <base_url>/ws-doc#!/absorb/07_ST_Configuration_08_RemoveWatchedAccount

In-line parameters

Name Description

id

Account identifier.

Sample request body

{
  "id": "charles"
}

Create/update business unit evaluation type

HTTP Method URL
POST <base_url>/ws-doc#!/absorb/07_ST_Configuration_05_UpdateBusinessUnitEvaluationType

In-line parameters

Name Description

BusinessUnit

Business unit identifier

EvaluationType

Evaluation type code as listed in the reference table.
creationTime Start time from which the evaluation type should be applied.

Sample request body

{
  "BusinessUnit": "MyBank",
  "EvaluationType": "HV-LP",
  "creationTime": "2017-12-01T00:00:00.000+01:00"
}

This operation will raise an HTTP 500 error if the business unit is not registered yet. You may need to retrieve the latest list of business units from SecureTransport and refresh the reference data from the list by clicking the Load data from SecureTransport button.

Remove business unit evaluation type

Removal will take effect at instant.

HTTP Method URL
POST <base_url>/ws-doc#!/absorb/07_ST_Configuration_09_RemoveBUEvaluationType

In-line parameters

Name Description

id

Business unit identifier

Sample request body

{
  "id": "MyBank"
}

Update global evaluation type

HTTP Method URL
POST <base_url>/ws-doc#!/absorb/07_ST_Configuration_07_UpdateGlobalEvaluationType

In-line parameters

Name Description

evaluationType

Evaluation type code as listed in the reference table. If not set, the global evaluation will be cleared.
creationTime Start time from which the evaluation type should be applied.

Sample request body

{
  "evaluationType": "LV-LP",
  "creationTime": "2017-12-01T00:00:00.000+01:00"
}

Resources/routes

Using resources and routes can be convenient when you need to configure multiple accounts/business units evaluations at once.

This operation currently consists in managing this configuration data within internal resources, then run the corresponding routes for the changes to take effect.

All the tools created for that purpose are located in the 07-ST-Configuration space when you click Data integration in the main menu. 

Update the configuration resource

From Data integration, click Resources on the left menu and change the corresponding resource content.

  • To add a watched account, modify the 02_WatchedAccounts resource.
  • To configure a business unit, modify the 05_BusinessUnitEvaluationType resource.

Internal resources must be written using the CSV format. For each resource considered, the first line will be taken as a header and all fields must be separated by a comma.

Both resources follow the same structure, consisting of the business unit or the watched account ID and the code of the evaluation type to be applied.

Watched account resource

WatchedAccount,EvaluationType,creationTime
Acc_Test,HLV-LP,2017-11-01T00:00:00.000+01:00

Business unit resource

BusinessUnit,EvaluationType,creationTime
Test,HLV-LP,2017-11-01T00:00:00.000+01:00
MyBank,HLV-HP,2017-11-01T00:00:00.000+01:00
Internal,HLV-HP,2017-11-01T00:00:00.000+01:00

Run the configuration route

On the left menu, click Routes, and start (or stop and restart) the following routes:

  • To add a watched account, run the 02_CreateWatchedAccounts routing context.
  • To configure a business unit, run the 05_UpdateBusinessUnitEvaluationType routing context.

Evaluation recomputing

Some operations will have to take effect multiple days back in the past and thus require to trigger computation of the corrective values.

To achieve that, go to Security & Monitoring > Computing and flush the pending events.


Related Links