ESM: Monitoring Policies Tab

Document created by RSA Information Design and Development on Jul 27, 2016
Version 1Show Document
  • View in full screen mode
 

The Monitoring Policies tab organizes thresholds by event source group.

To access this tab:

  1. In the Security Analytics menu, select Administration > Event Sources.
    The Manage tab is displayed.
  2. Select the Monitoring Policies tab.

ESM_alerts01.png

Procedures related to this tab are described in Monitor Policies.

Features

The Monitoring Policies tab consists of three panels.

Event Groups Panel

ESM_alertsGrps.png

The group selected in this panel determines which thresholds appear in the Thresholds panel. You can define a set of thresholds for each event source group. Notice that the groups are listed in a specific order:

  • Drag and drop groups to change the specified order.
  • The higher a group is listed, the higher the precedence for that group's thresholds: RSA Security Analytics checks the thresholds in the order provided in this panel. Thus, your highest priority groups should be at the top of this list.

Thresholds Panel

This is an example of the Thresholds panel for an event source group.

ESM_threshold.png

The Thresholds Panel contains the following features.

                      
FeatureDescription
Enable

The Enable checkbox designates whether or not the thresholds that you define for a group are enabled. If so, notifications are sent whenever the thresholds for that group are outside of the defined range. If not, then no monitoring of that event source group is occurring

Low number of events
Low number of minutes or hours

This is the low end of the threshold. Enter the fewest number of events and the time range. If the event source group receives fewer messages than specified here, the threshold is not met, and notifications are sent.

High number of events
High number of minutes or hours

Works similarly as for the low values: If more messages than specified here are received, the threshold is not met, and notifications are sent.
Last Modified date and timeThis field indicates the last time and date that the thresholds were changed.
SaveSaves the changes you have made to the thresholds.

Notifications Panel

This is an example of the Notifications panel for an event source group.

ESM_alerts01.png

The following table describes the fields on the Notifications panel.

                            
FieldDescription

Tools

+  -

The following items are available on the toolbar:

  • Add (+): clicking the Add presents a menu where you can choose the type of the notification
  • Remove (-): removes the selected row from the list.
Notification SettingsClicking this link opens a new browser tab, and takes you to the Admin > System > Notifications page in Security Analytics.

Type

Displays the type of the notification that you have chosen. The available options are as follows:

  • Email
  • SNMP
  • Syslog
NotificationSee Configure Notification Types for more details.

Notification Server

See Configure Notification Servers for more details.

Template

For Event Source Management, RSA provides three out-of-the-box templates for notifications. You can use the following templates as delivered, or customize them based on the needs of your organization:

  • Email template: sends notifications to the specified email addresses.
  • SNMP template: sends notifications to the specified SNMP server
  • Syslog template: sends notifications to the specified Syslog server.

See Configure Templates for Notifications for more details.

Output Suppression

Use this item to limit how often notifications are received for this policy, in case a lot of alerts are triggered in a short period of time. 

The following are sample notifications, based on the supplied Templates:

  • Email:
    esm_note-email.png
  • SNMP:
    esm_note-snmp.png
  • Syslog:
    esm_note-syslog.png
You are here: References > Monitoring Policies Tab

Attachments

    Outcomes