Security Analytics Out-of-the-Box Policies
The following table lists the Security Analytics Out-of-the-Box Policies with the rules defined for each policy.
You can perform the following tasks on any of these policies:
- Change service/group assignments.
- Disable/enable them.
You cannot perform the following tasks on any of these policies:
- Delete them.
- Edit Policy names.
Note: Additional information about the Out-of-the-Box Policies can be found in the User Interface under
Health & Wellness – Policies.
Policy Name | Rule Name | Alarm Triggered |
---|---|---|
Communication Failure Between Master Security Analytics Host and a Remote Host | Host is down, Network is down, Message Broker is Down, or Invalid or missing security certificates for 10 minutes or more. | |
SA Host Monitoring Policy | Critical Usage on Rabbitmq Message Broker Filesystem | For var/lib/rabbitmq, Mounted Filesystem Disk Usage goes over 75%. |
Filesystem is Full | Overall Mounted Filesystem Disk Usage reaches 100%. | |
High Filesystem Usage | Overall Mounted Filesystem Disk Usage goes over 95%. | |
High System Swap Utilization | Swap Utilization goes under 5 % for 5 minutes or more. | |
High Usage on Rabbitmq Message Broker Filesystem | Mounted Filesystem Disk Usage for var/lib/rabbitmq goes over 60%. | |
Host Unreachable | Host down. | |
LogCollector Event Processor Exchange Bindings Status | Issue with Log Collection Message Broker Queues for 10 minutes or more. | |
LogCollector Event Processor Queue with No Bindings | Issue with Log Collection Message Broker Queues for 10 minutes or more. | |
LogCollector Event Processor Queue with No Consumers | Issue with Log Collection Message Broker Queues for 10 minutes or more. | |
Power Supply Failure | Host not receiving power. | |
RAID Logical Drive Degraded | For Raid Logical Drive, Drive State equals Degraded or Partially Degraded. | |
RAID Logical Drive Failed | For Raid Logical Drive, Logical Drive State equals Offline, Failed, or Unknown. | |
RAID Logical Drive Rebuilding | For Raid Logical Drive, Logical Drive State equals Rebuild. | |
RAID Physical Drive Failed | For Raid Physical Drive, Physical Drive State does not equal Online, Online Spun Up, or Hotspare. | |
RAID Physical Drive Failure Predicted | For Raid Physical Drive, Physical Drive Predictive Failure Count is greater than 1. | |
RAID Physical Drive Rebuilding | For Raid Physical Drive, Physical Drive State equals Rebuild. | |
RAID Physical Drive Unconfigured | For Raid Physical Drive, Physical Drive State contains Unconfigured(good). | |
SD Card Failure | SD Card Status does not equal ok. | |
SA Archiver Monitoring Policy | Archiver Aggregation Stopped | Archiver Status does not equal started. |
Archiver Database(s) Not Open | Database Status does not equal opened. | |
Archiver Not Consuming From Service | Devices Status does not equal consuming. | |
Archiver Service in Bad State | Service State does not equal started or ready. | |
Archiver Service Stopped | Server Status does not equal started. | |
SA Broker Monitoring Policy | Broker >5 Pending Queries | Queries Pending greater than or equal to 5 for 10 minutes or more. |
Broker Aggregation Stopped | Broker Status does not equal started. | |
Broker Not Consuming From Service | Devices Status does not equal consuming. | |
Broker Service in Bad State | Service State does not equal started or ready. | |
Broker Service Stopped | Server Status does not equal started. | |
Broker Session Rate Zero | Session Rate (current) equals 0 for 2 minutes or more. | |
Security Analytics Concentrator Monitoring Policy | Concentrator >5 Pending Queries | Queries Pending greater than or equal to 5 for 10 minutes or more. |
Concentrator Aggregation Behind >100K Sessions | Devices Sessions Behind is greater than or equal to 100000 for 1 minute or more. | |
Concentrator Aggregation Behind >1M Sessions | Devices Sessions Behind is greater than or equal to 1000000 for 1 minute or more. | |
Concentrator Aggregation Behind >50M Sessions | Devices Sessions Behind is greater than or equal to 50000000 for 1 minute or more. | |
Concentrator Aggregation Stopped | Broker Status does not equal started. | |
Concentrator Database(s) Not Open | Database Status does not equal opened. | |
Concentrator Meta Rate Zero | Concentrator Meta Rate (current) equals 0 for 2 minutes or more. | |
Concentrator Not Consuming From Service | Devices Status does not equal consuming. | |
Concentrator Service in Bad State | Service State does not equal started or ready. | |
Concentrator Service Stopped | Server Status does not equal started. | |
Security Analytics Decoder Monitoring Policy | Decoder Capture Not Started | Capture Status does not equal started. |
Decoder Capture Rate Zero | Capture Rate (current) equals 0 for 2 minutes or more. | |
Decoder Database Not Open | Database Status does not equal opened. | |
Decoder Dropping >1% of Packets | Capture Packets Percent Dropped (current) is greater than or equal to 1%. | |
Decoder Dropping >10% of Packets | Capture Packets Percent Dropped (current) is greater than or equal to 10%. | |
Decoder Dropping >5% of Packets | Capture Packets Percent Dropped (current) is greater than or equal to 5%. | |
Decoder Packet Capture Pool Depleted | Packet Capture Queue equals 0 for 2 minutes or more. | |
Decoder Service in Bad State | Service State does not equal started or ready. | |
Decoder Service Stopped | Server Status does not equal started. | |
Security Analytics Event Steam Analysis Monitoring Policy | ESA Overall Memory Utilization > 85% | Total ESA Memory Usage % is greater than or equal to 85 %. |
ESA Overall Memory Utilization > 95% | Total ESA Memory Usage % is greater than or equal to 95 %. | |
ESA Service Stopped | Server Status does not equal started. | |
ESA Trial Rules Disabled | Trial Rules Status does not equal enabled. | |
Security Analytics IPDB Extractor Monitoring Policy | IPDB Extractor Service in Bad State | Service State does not equal started or ready. |
IPDB Extractor Service Stopped | Server Status does not equal started. | |
Security Analytics Incident Management Monitoring Policy | Incident Management Service Stopped | Server Status does not equal started. |
Security Analytics Log Collector Monitoring Policy | Log Collector Service Stopped | Server Status does not equal started. |
Log Decoder Event Queue > 50% Full | Number of events currently in the queue is using 50% or more of the queue. | |
Log Decoder Event Queue > 80% Full | Number of events currently in the queue is using 80% or more of the queue. | |
Log Collector Service in Bad State | Service State does not equal started or ready. | |
Security Analytics Log Decoder Monitoring Policy | Decoder Dropping>10% of Packets | Capture Packets Percent Dropped (current) is greater than or equal to 10% |
Log Capture Not Started | Capture Status does not equal started. | |
Log Decoder Capture Rate Zero | Capture Rate (current) equals 0 for 2 minutes or more. | |
Log Decoder Database Not Open | Database Status does not equal opened. | |
Log Decoder Dropping >1% of Logs | Capture Packets Percent Dropped (current) is greater than or equal to 1%. | |
Log Decoder Dropping >5% of Logs | Capture Packets Percent Dropped (current) is greater than or equal to 5%. | |
Log Decoder Packet Capture Pool Depleted | Packet Capture Queue equals 0 for 2 minutes or more. | |
Log Decoder Service Stopped | Server Status does not equal started. | |
Log Decoder Service in Bad State | Service State does not equal started or ready. | |
Security Analytics Malware Analysis Monitoring Policy | Malware Analysis Service Stopped | Server Status does not equal started. |
Security Analytics Reporting Engine Monitoring Policy | Reporting Engine Alerts Critical Utilization | Alerts Utilization is greater than or equal to 10 for 5 minutes or more. |
Reporting Engine Available Disk <10% | Available disk space is less than 10%. | |
Reporting Engine Available Disk <5% | Available disk space is less than or equal to 5%. | |
Reporting Engine Charts Critical Utilization | Charts Utilization is greater than or equal to 10 for 5 minutes or more. | |
Reporting Engine Rules Critical Utilization | Rules Utilization is greater than or equal to 10 for 5 minutes or more. | |
Reporting Engine Schedule Task Pool Critical Utilization | Schedule Task Pool Utilization is greater than or equal to 10 for 15 minutes or more. | |
Reporting Engine Service Stopped | Server Status does not equal started. | |
Reporting Engine Shared Task Critical Utilization | Shared Task Pool Utilization is greater than or equal to 10 for 5 minutes or more. | |
Security Analytics Warehouse Connector Monitoring Policy | Warehouse Connector Service in Bad State | Service State does not equal started or ready. |
Warehouse Connector Service Stopped | Server Status does not equal started. | |
Warehouse Connector Stream Behind | Stream Behind is greater than or equal to 2000000. | |
Warehouse Connector Stream Disk Utilization > 75% | Stream Disk Usage (Pending Destination Load) is greater than or equal to 75. | |
Warehouse Connector Stream in Bad State | Stream Status does not equal consuming or online for 10 minutes r more. | |
Warehouse Connector Stream Permanently Rejected Files > 300 | Number of files in the permanently rejected files is greater than or equal to 300. | |
Warehouse Connector Stream Permanently Rejected Folder > 75% Full | Rejected folder usage is greater than or equal to 75%. | |
Security Analytics Workbench Monitoring Policy | Workbench Service in Bad State | Service State does not equal started or ready. |
Workbench Service Stopped | Server Status does not equal started. |
You are here: References > Health and Wellness > Policies View > Security Analytics Out-of-the-Box Policies