Typically, organizations monitor their event sources in "buckets" based on how critical the event sources are. One typical example is as follows:
- There is a group of PCI devices, and it is critical to know if any of these devices stop sending messages (or send too few messages) within a half hour.
- There is a group of Windows devices, and it is useful to know if any of these devices stop sending messages after four hours.
- There is a group of quiet devices that do not typically send a lot of messages, but you would like to know if they do not send anything for 24 hours.
Many organizations may have a network that resembles this example. You may have more or different categories, but this example is used to discuss this feature.
You may have dozens or even hundreds of event source groups, and still only have a few groups for which you need to set thresholds and alerts.
Note: If an Event Source is a member of multiple groups that have alerting configured, it will only alert on the first matching group in the ordered list. (The Monitor Policies tab presents an ordered list of your groups.)
Ordering the Groups
Note: To change the order of the groups, drag and drop a group to its new location. The higher a group is listed, the higher the precedence for that group's thresholds: RSA Security Analytics checks the thresholds in the order provided in this panel. Thus, your highest priority groups should be at the top of this list.
The first thing to keep in mind is how to order your groups on the Monitoring Policies page. Assuming that you have the three groups mentioned above, you should order them as follows:
- Quiet event sources. Having this group first ensures that you will not get numerous false alerts.
- High priority PCI event sources. The highest priority devices should be after the quiet devices
- Windows event sources. The time range is longer (four hours versus a half hour) for these devices than for the PCI devices. Therefore, they should come after the PCI devices.
- All event sources. Optionally, you could set thresholds for all devices as a catch-all. This ensures that your entire network is operating as expected. For the catch-all group, you do not need to specify any thresholds—you can use automatic alerting to generate alarms for the event sources in this group.
In the figure above, note the following:
- The groups are ordered as discussed in the previous section.
- The threshold for PCI devices is to alert if the number of messages coming in to Security Analytics is fewer than 10 messages in 30 minutes.
- A low threshold is defined, but not a high threshold. This is typical for many use cases.
After you have set up and ordered your groups and begun to receive alerts, you may need to adjust the order. Use these guidelines to help you adjust the ordering:
- If you receive more notifications than you need, you can move the group down in the order. Similarly, if you are getting too few notifications, move the group up towards the top.
- If you notice that one event source is creating more alerts than it should, you can move it to another group, or create a new group for that event source.