# Traffic visibility drop alerting

## Overview

Starting in the v9.11 release, Brain appliances will monitor three metrics for abnormality:

* **The number of observed IP addresses** - Aggregate for entire deployment
* **The observed traffic bandwidth (per Sensor**)
* **The observed packet counts (per Sensor)**

For each of these metrics, the system will collect data, determine a baseline, and create a system health alert when it is determined that any of these metrics have crossed a critical threshold. The exact cause will not be known to the system but it is likely a situation where an external network event (e.g. switch reconfiguration) has caused a reduction in network observability.

{% hint style="info" %}
**Please Note:**

For the initial v9.11 release, this monitoring will be live but notifications will be disabled. Vectra will release this feature progressively over the course of the v9.11 release and invites customer feedback for efficacy and accuracy through your normal support channels.
{% endhint %}

Vectra expects a high correlation between losses in network observability and the system health alerts related to traffic visibility drops, and advises customers receiving these notifications that they investigate their network traffic monitoring to determine what event(s) may have caused a loss in visibility.

Alerts can be received by email, webhook, retrieved via API call, or received via Syslog (QUX deployments only).

## Alerting Configuration

Traffic visibility drop alerts are a sub category of system health alerts and if you are receiving system health alerts by any supported method, you will receive these traffic visibility drop alerts. An alert is created when a metric becomes critical and when the metric returns to normal.

System health alerts notification methods:

**Email notification:** Please see [System alerts](/configuration/response/notifications/system-alerts.md) for details.

**Webhook notification:** Please see [External app alerts (webhook)](/configuration/response/notifications/external-app-alerts-webhook.md) for details.

{% hint style="info" %}
**Please Note:**

For Webhook notifications, an alert will be sent when a metric becomes critical, but there will be no alert sent when the metric returns to normal. This is expected behavior and is not cause for alarm.
{% endhint %}

**API:**

* Perform a `GET` against the `/events/health` endpoint
  * Example URL: <https://VECTRA_PORTAL_URL/api/v3.4/events/health/>
* RUX API details please see [https://apidocs.vectra.ai](https://apidocs.vectra.ai/)
  * Example URL: `https://VECTRA_PORTAL_URL/api/v3.4/events/health`
* QUX API details please see [v2.5 API guide (QUX)](/configuration/access/api-qux/v25-api-guide-qux.md)
  * Example URL: `http://your_QUX_URL_or_IP//api/v2.5/events/health`&#x20;

**Syslog** (for QUX deployments only): Please see the [Syslog Guide (QUX)](/configuration/response/notifications/syslog-guide-qux.md)

## Metric Thresholds

There are no specific thresholds shared because the system calculates what is normal for each system automatically.

Customers with extremely noisy traffic graphs (wide fluctuations vs predictable patterns) or very low bandwidth may create alerts when not desired or fail to create alerts when desired. If this happens in your deployment, please open a support ticket. There are some underlying parameters that Vectra can alter to attempt to optimize for your deployment that the system may not be able to calculate automatically.

## Example Alert Messages

Below are some example email alert messages for a system crossing the critical threshold for observed IPs and another message for when the observed IP count returns to normal.

Alerts for other visibility drops (bandwidth, packet counts) would look similar.  Alerts through other channels such as Webhook, API, or syslog (QUX only) would also contain similar language.

<figure><img src="/files/llR8nq3FBfkWKZSvmpA4" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/hb1RwjcxpzH5qN6XhYNa" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.vectra.ai/deployment/traffic-engineering-and-validation/traffic-visibility-drop-alerting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.