You can create policies that alert on event source groups, by setting schedules and thresholds.
Every event source group is also an alert policy. Thresholds are part of an alert policy. You can set thresholds for each alert policy. For each policy, you can set a low threshold, a high threshold, or both.
To set or view thresholds for an event source group:
- In the Security Analytics menu, select Administration > Event Sources.
- Select the Monitoring Policies tab.
In the Event Groups panel, select a group.
Any thresholds set for the selected group are displayed in the Thresholds panel.
- Edit the values in either the Low or High Threshold as follows:
- Enter the number of events for the threshold.
- Enter the number of minutes or hours for the threshold.
Note: For each threshold, you can set either the low values, the high values, or both.
- Select Enable to enable alerts when thresholds are not met.
For example, suppose you enter 10 and 30 for the values for the low threshold: 10 events in 30 minutes, and 20 and 30 for the values for the high threshold: 20 events in 30 minutes. This means that you expect between 10 to 20 events are logged in 30 minutes (for the selected event source group). That is, anything between the low and high threshold is considered normal, and does not trigger an alert.
Note: Once you add a threshold for a policy, you cannot delete it. You can disable the policy, or set the low or high threshold to 0 events in 5 minutes. Five minutes is the minimum duration for a threshold.