We have already opened a case with CA on this, but I figured I would reach out to see if anyone else has experienced anything similar...
We upgraded to 9.5.2 about 5 months ago, and recently we have begun seeing several false alerts, mostly with summary alerts, within the Workstation. To clarify: a summary alert will show as being in a danger state (3 in investigator), when none of the underlying alerts are in a danger state. The implications for this are pretty obvious - our customers, and executives, are beginning to lose trust in the data being reported by Introscope. The dashboards that show the status of these alerts are used regularly and provide no value when the data is not reliable.
Below are some screenshots where we have configured a summary alert with only 1 underlying alert, which is in a normal state (1 in investigator). The summary alert, however, is showing as being in a danger state, and has been for weeks now.
Here is the configuration of the summary alert:
Here is the configuration of the individual alert:
Here is the status of the individual alert in the Investigator (showing normal state of 1):
Here is the status of the summary alert in the Investigator (show danger status of 3):