ESM: Configure Event Source Group Alerts

Document created by RSA Information Design and Development on Jul 27, 2016
Version 1Show Document
  • View in full screen mode
 

Each event source group can have its own alerting policy. This includes setting the thresholds for when to alert, and setting the notification type when an alert is triggered. This topic describes the steps involved in creating an alert policy for an event source group.

Create an Alert Policy for an Event Source Group

To create an alert policy for an event source group:

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. Select the Monitoring Policies tab.
  3. In the Event Groups panel, select a group.
  4. Enter values for the Low Threshold and High Threshold fields.

    This is an example of alert thresholds.

    ESM_alerts01.png

  5. Select Enable and click Save to enable the alert policy that you have configured.

Note: If you make changes to a policy, and attempt to exit the page before you save your changes, an Unsaved Changes warning message is displayed:

esm_policyChgWrn.png

Set and View the Thresholds for an Alert Policy

Thresholds are part of an alert policy. You set thresholds for event source groups.

To set or view thresholds for an event source group:

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. Select the Monitoring Policies tab.
  3. In the Event Groups panel, select a group.
    The thresholds set for the selected group are displayed in the Thresholds panel.
  4. Edit the values in the Low Threshold as follows:
    1. Enter the number of events for the low threshold.
    2. Enter the number of minutes for the low threshold
  5. Similarly, enter values for the High Threshold.

For example, if you enter 10 and 30 for the values for the low threshold: 10 events in 30 minutes, and 20 and 30 for the values for the high threshold: 20 events in 30 minutes, this means that you expect between 10 to 20 events are logged in 30 minutes (for the selected event source group). That is, anything between the low and high threshold is considered normal, and does not trigger an alert.

You are here: Procedures > Monitor Policies > Configure Event Source Group Alerts

Attachments

    Outcomes