ESM: Common Scenarios for Monitoring Policies

Document created by RSA Information Design and Development on Jul 27, 2016
Version 1Show Document
  • View in full screen mode

Organizations typically have to monitor their event sources in "buckets" based on how critical those event sources are. One typical example is as follows:

  • There is a group of PCI devices, and it is critical to know if any of these devices stop sending messages (or send too few messages) within a half hour.
  • There is a group of Windows devices, and it is useful to know if any of these devices stop sending messages after four hours.
  • There is a group of quiet devices that do not typically send a lot of messages, but you would like to know if they do not send anything for 24 hours.

Many organizations could have a network that resembles this example. You may have more or different categories, but we will use this example to discuss how to use this feature.

Keep in mind that you may have dozens or even hundreds of event source groups, and still only have a few groups for which you need to set thresholds and alerts.

Note: If an Event Source is a member of multiple groups that have alerting configured, it will only alert on the first matching group in the ordered list.

Ordering the Groups

The first thing to keep in mind is how to order your groups on the Monitoring Policies page. Assuming that you have the three groups mentioned above, you should order them as follows:

  1. Quiet event sources. Having this group first ensures that you will not get numerous false alerts.
  2. High priority PCI event sources. The highest priority devices should be after the quiet devices.
  3. Windows event sources. The time range is longer (four hours versus a half hour) for these devices than for the PCI devices. Therefore, they should come after the PCI devices.
  4. All event sources. Optionally, you could set thresholds for all devices as a catch-all. This ensures that your entire network is operating as expected.


In the figure above, note the following:

  • The groups are ordered as discussed in the previous section.
  • The threshold for PCI devices is to alert if the number of messages coming in to Security Analytics is fewer than 10 messages in 30 minutes.
  • A low threshold is defined, but not a high threshold. This is typical for many use cases.

After you have set up and ordered your groups and begun to receive alerts, you may need to adjust the order. Use these guidelines to help you adjust the ordering:

  • If you are getting more notifications than you need, you can move the group down in the order. Similarly, if you are getting too few notifications, move the group up towards the top.
  • If you notice that one event source is creating more alerts than it should, you can move it to another group, or create a new group for that event source.
You are here: Procedures > Monitor Policies > Common Scenarios for Monitoring Policies