Security Analytics Out-of-the-Box Policies
The following table lists the Security Analytics Out-of-the-Box Policies with the rules defined for each policy.
You can perform the following tasks on any of these policies:
- Change service/group assignments.
- Disable/enable them.
You cannot perform the following tasks on any of these policies:
- Delete them.
- Edit Policy names.
Note: Additional information about the Out-of-the-Box Policies can be found in the User Interface under
Health & Wellness – Policies.
| Policy Name | Rule Name | Alarm Triggered |
|---|---|---|
| Communication Failure Between Master Security Analytics Host and a Remote Host | Host is down, Network is down, Message Broker is Down, or Invalid or missing security certificates for 10 minutes or more. | |
| SA Host Monitoring Policy | Critical Usage on Rabbitmq Message Broker Filesystem | For var/lib/rabbitmq, Mounted Filesystem Disk Usage goes over 75%. |
| Filesystem is Full | Overall Mounted Filesystem Disk Usage reaches 100%. | |
| High Filesystem Usage | Overall Mounted Filesystem Disk Usage goes over 95%. | |
| High System Swap Utilization | Swap Utilization goes under 5 % for 5 minutes or more. | |
| High Usage on Rabbitmq Message Broker Filesystem | Mounted Filesystem Disk Usage for var/lib/rabbitmq goes over 60%. | |
| Host Unreachable | Host down. | |
| LogCollector Event Processor Exchange Bindings Status | Issue with Log Collection Message Broker Queues for 10 minutes or more. | |
| LogCollector Event Processor Queue with No Bindings | Issue with Log Collection Message Broker Queues for 10 minutes or more. | |
| LogCollector Event Processor Queue with No Consumers | Issue with Log Collection Message Broker Queues for 10 minutes or more. | |
| Power Supply Failure | Host not receiving power. | |
| RAID Logical Drive Degraded | For Raid Logical Drive, Drive State equals Degraded or Partially Degraded. | |
| RAID Logical Drive Failed | For Raid Logical Drive, Logical Drive State equals Offline, Failed, or Unknown. | |
| RAID Logical Drive Rebuilding | For Raid Logical Drive, Logical Drive State equals Rebuild. | |
| RAID Physical Drive Failed | For Raid Physical Drive, Physical Drive State does not equal Online, Online Spun Up, or Hotspare. | |
| RAID Physical Drive Failure Predicted | For Raid Physical Drive, Physical Drive Predictive Failure Count is greater than 1. | |
| RAID Physical Drive Rebuilding | For Raid Physical Drive, Physical Drive State equals Rebuild. | |
| RAID Physical Drive Unconfigured | For Raid Physical Drive, Physical Drive State contains Unconfigured(good). | |
| SD Card Failure | SD Card Status does not equal ok. | |
| SA Archiver Monitoring Policy | Archiver Aggregation Stopped | Archiver Status does not equal started. |
| Archiver Database(s) Not Open | Database Status does not equal opened. | |
| Archiver Not Consuming From Service | Devices Status does not equal consuming. | |
| Archiver Service in Bad State | Service State does not equal started or ready. | |
| Archiver Service Stopped | Server Status does not equal started. | |
| SA Broker Monitoring Policy | Broker >5 Pending Queries | Queries Pending greater than or equal to 5 for 10 minutes or more. |
| Broker Aggregation Stopped | Broker Status does not equal started. | |
| Broker Not Consuming From Service | Devices Status does not equal consuming. | |
| Broker Service in Bad State | Service State does not equal started or ready. | |
| Broker Service Stopped | Server Status does not equal started. | |
| Broker Session Rate Zero | Session Rate (current) equals 0 for 2 minutes or more. | |
| Security Analytics Concentrator Monitoring Policy | Concentrator >5 Pending Queries | Queries Pending greater than or equal to 5 for 10 minutes or more. |
| Concentrator Aggregation Behind >100K Sessions | Devices Sessions Behind is greater than or equal to 100000 for 1 minute or more. | |
| Concentrator Aggregation Behind >1M Sessions | Devices Sessions Behind is greater than or equal to 1000000 for 1 minute or more. | |
| Concentrator Aggregation Behind >50M Sessions | Devices Sessions Behind is greater than or equal to 50000000 for 1 minute or more. | |
| Concentrator Aggregation Stopped | Broker Status does not equal started. | |
| Concentrator Database(s) Not Open | Database Status does not equal opened. | |
| Concentrator Meta Rate Zero | Concentrator Meta Rate (current) equals 0 for 2 minutes or more. | |
| Concentrator Not Consuming From Service | Devices Status does not equal consuming. | |
| Concentrator Service in Bad State | Service State does not equal started or ready. | |
| Concentrator Service Stopped | Server Status does not equal started. | |
| Security Analytics Decoder Monitoring Policy | Decoder Capture Not Started | Capture Status does not equal started. |
| Decoder Capture Rate Zero | Capture Rate (current) equals 0 for 2 minutes or more. | |
| Decoder Database Not Open | Database Status does not equal opened. | |
| Decoder Dropping >1% of Packets | Capture Packets Percent Dropped (current) is greater than or equal to 1%. | |
| Decoder Dropping >10% of Packets | Capture Packets Percent Dropped (current) is greater than or equal to 10%. | |
| Decoder Dropping >5% of Packets | Capture Packets Percent Dropped (current) is greater than or equal to 5%. | |
| Decoder Packet Capture Pool Depleted | Packet Capture Queue equals 0 for 2 minutes or more. | |
| Decoder Service in Bad State | Service State does not equal started or ready. | |
| Decoder Service Stopped | Server Status does not equal started. | |
| Security Analytics Event Steam Analysis Monitoring Policy | ESA Overall Memory Utilization > 85% | Total ESA Memory Usage % is greater than or equal to 85 %. |
| ESA Overall Memory Utilization > 95% | Total ESA Memory Usage % is greater than or equal to 95 %. | |
| ESA Service Stopped | Server Status does not equal started. | |
| ESA Trial Rules Disabled | Trial Rules Status does not equal enabled. | |
| Security Analytics IPDB Extractor Monitoring Policy | IPDB Extractor Service in Bad State | Service State does not equal started or ready. |
| IPDB Extractor Service Stopped | Server Status does not equal started. | |
| Security Analytics Incident Management Monitoring Policy | Incident Management Service Stopped | Server Status does not equal started. |
| Security Analytics Log Collector Monitoring Policy | Log Collector Service Stopped | Server Status does not equal started. |
| Log Decoder Event Queue > 50% Full | Number of events currently in the queue is using 50% or more of the queue. | |
| Log Decoder Event Queue > 80% Full | Number of events currently in the queue is using 80% or more of the queue. | |
| Log Collector Service in Bad State | Service State does not equal started or ready. | |
| Security Analytics Log Decoder Monitoring Policy | Decoder Dropping>10% of Packets | Capture Packets Percent Dropped (current) is greater than or equal to 10% |
| Log Capture Not Started | Capture Status does not equal started. | |
| Log Decoder Capture Rate Zero | Capture Rate (current) equals 0 for 2 minutes or more. | |
| Log Decoder Database Not Open | Database Status does not equal opened. | |
| Log Decoder Dropping >1% of Logs | Capture Packets Percent Dropped (current) is greater than or equal to 1%. | |
| Log Decoder Dropping >5% of Logs | Capture Packets Percent Dropped (current) is greater than or equal to 5%. | |
| Log Decoder Packet Capture Pool Depleted | Packet Capture Queue equals 0 for 2 minutes or more. | |
| Log Decoder Service Stopped | Server Status does not equal started. | |
| Log Decoder Service in Bad State | Service State does not equal started or ready. | |
| Security Analytics Malware Analysis Monitoring Policy | Malware Analysis Service Stopped | Server Status does not equal started. |
| Security Analytics Reporting Engine Monitoring Policy | Reporting Engine Alerts Critical Utilization | Alerts Utilization is greater than or equal to 10 for 5 minutes or more. |
| Reporting Engine Available Disk <10% | Available disk space is less than 10%. | |
| Reporting Engine Available Disk <5% | Available disk space is less than or equal to 5%. | |
| Reporting Engine Charts Critical Utilization | Charts Utilization is greater than or equal to 10 for 5 minutes or more. | |
| Reporting Engine Rules Critical Utilization | Rules Utilization is greater than or equal to 10 for 5 minutes or more. | |
| Reporting Engine Schedule Task Pool Critical Utilization | Schedule Task Pool Utilization is greater than or equal to 10 for 15 minutes or more. | |
| Reporting Engine Service Stopped | Server Status does not equal started. | |
| Reporting Engine Shared Task Critical Utilization | Shared Task Pool Utilization is greater than or equal to 10 for 5 minutes or more. | |
| Security Analytics Warehouse Connector Monitoring Policy | Warehouse Connector Service in Bad State | Service State does not equal started or ready. |
| Warehouse Connector Service Stopped | Server Status does not equal started. | |
| Warehouse Connector Stream Behind | Stream Behind is greater than or equal to 2000000. | |
| Warehouse Connector Stream Disk Utilization > 75% | Stream Disk Usage (Pending Destination Load) is greater than or equal to 75. | |
| Warehouse Connector Stream in Bad State | Stream Status does not equal consuming or online for 10 minutes r more. | |
| Warehouse Connector Stream Permanently Rejected Files > 300 | Number of files in the permanently rejected files is greater than or equal to 300. | |
| Warehouse Connector Stream Permanently Rejected Folder > 75% Full | Rejected folder usage is greater than or equal to 75%. | |
| Security Analytics Workbench Monitoring Policy | Workbench Service in Bad State | Service State does not equal started or ready. |
| Workbench Service Stopped | Server Status does not equal started. |
You are here: References > Health and Wellness > Policies View > Security Analytics Out-of-the-Box Policies