When viewing security reports, you may occasionally see a warning that data may have been sampled.
In data analysis, sampling is the act of analyzing a representative amount, or subset, of available data in order to glean meaningful insights. For example, when researchers conduct opinion polls, they can’t ask everyone. So they select a slice of the population to serve as a representative sample and take that smaller percentage of answers to illustrate trends of the entire population.
Security reports sometimes sample excessive data for two main reasons:
- Readability. When numbers get very large it may be hard to see patterns through all the noise. When you view a representative sample, it may be easier to see trends and patterns in traffic and detections.
- Performance. To deliver results faster, we sample when numbers get exceedingly high and full processing may interfere with performance.
Sampling applies to a specific set of detections when triggers exceed a certain threshold, and only to events that result in non-mitigating actions, like monitor and alert. Any activity that triggers a mitigating action, like deny, tarpit, or challenge, for example, are reported in totality. Sampling rate is 10% unless otherwise noted and applies only to the following detections:
- Request Anomaly
- Browser Impersonatorbeta
- Akamai-categorized bots
- Custom-categorized bots
- Custom rules (sampled at 50%)
You may see sampling in any report where these detections appear in results, like Bot Trends, Web Security Analytics, Bot Intelligence Report, WAF Trends, and more.
As mentioned, you’ll get more meaningful insights faster. Sampling is for reporting only and has no impact on detections or accuracy.
If reports show a sudden drop in the number of security events, it may be because sampling kicked in at that time.
If you encounter sampling in reports, but want to reduce its impact, tune your detection settings.
If huge numbers of requests are flagged by detections, you may be able to fix it with a quick tweak to your setup.
If you have native apps or machine devices making requests to your site or APIs, you need to let bot management know. Automated requests like this are typical of bots and therefore trigger detections, which show up in reports as high bot numbers, creating lots of unhelpful noise. For example, if you have a mobile app you give to customers, and it makes requests to your website or API, you make bot manager aware, by defining that app. How you define client types like this, depends upon what product you use. Read how to:
After you fix this issue, and detections skip device-based traffic that you expect, you'll see more relevant results. The non-human requests that show up in reports will actually be those made by bots.
Use your favorite Security Information and Event Management (SIEM) solution to analyze all security events generated from the Akamai platform. Capture, retain, and deliver security information and events to your SIEM app in near real time. This is a great way to keep a record of all your security events, even when you run up against sampling in a particular report. Learn more about SIEM setup.
Updated 6 months ago