Reporting: Create or Modify Alert View

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode
 

The Create/Modify Alert view allows you to add, manage, and edit Alerts. Related procedures are provided in Working with Alerts in the Reporting Module.

To access the Create/Modify Alert view:

  1. In the Security Analytics menu, click Administration Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert toolbar, click add_button.png.
    The following figure is an example of the Create/Modify Alert view.
    106_create_or_modify_alert.png

The Create or Modify Alert view includes the following sections:

  • Alert Definition section
  • Alert Description section
  • Alert Notification section

Alert Definition Section

The Alert Definition section allows you to select an alert rule and data sources, push the event to the decoder or log decoder, and enable or disable the alert.

106_alert_def_pane.png

The following table describes the fields in the Alert Definition section:

                         
FieldDescription
Enable
  • Enable activates the alert. The alert executes and sends output actions every minute (by default) when the alert conditions are met.
  • Disable deactivates the alert. The alert does not execute and does not send any output actions.
Rule BasisClicking Browse displays the Rules Library panel from which you select the rule that is the basis of this alert.
You must select a rule that has a unique where clause for an alert.
Data SourcesSpecifies the data source for the alert.
Push to decoders

Checking this option pushes the ‘where’ clause of the alert rule to Decoders connected to the selected NWDB data source. This is the recommended option to create RE alert, as the alert conditions are checked at Decoder itself and the alert queries will be comparatively faster in NWDB.

If you uncheck this option, the alert rule ‘where’ clause will be queried against the selected NWDB data source. Based on the complexity and metas in the ‘where’ clause of the rule, the alert queries might take more time to process in NWDB.

Note: Security Analytics does not send rules to the Decoder automatically.

Alert Notification Section

The Alert Notification section allows you to define the notification action Security Analytics takes when alert fires, say recording or sending the alert using one of the defined output actions. The output actions are Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), or Syslog message.

When you create an alert, the Notification section has the default Record tab. The icon besides the Record tab, allows you to select the notification type from the drop-down list for the output that you want to specify for this alert: SMTP, SNMP, or Syslog.

Depending on the notification type selected, the Notification section is populated with pre-defined text that has certain variables that will add Meta appropriate to the alert. In the Reporting Engine, these variables are replaced with actual values. The following table lists the variables and their description.

                                 
VariableDescription
${meta.<metakey>} The meta key value.

Note: If the <metakey> did not fetch any value, then an empty string("") is printed. 

${meta.time} / ${meta.time:<time_format>} ${meta.time} - The session time is printed in  "yyyy-MMM-dd HH:mm:ss" format. ${meta.time:<time_format>} - The session time is printed in the user given custom time format. For example, ${meta.time:dd-MM-yyyy HH:mm:ss}.

For more information on the supported time formats, see http://docs.oracle.com/javase/7/docs/api/java/text/SimpleDateFormat.html

Note: If the time format provided by the user is invalid, then the default time format will be used. The default time format is "yyyy-MMM-dd HH:mm:ss".

${name}      The alert name defined in Reporting Engine.
${count}     The number of times an alert is detected in a given time frame. (By default, it is one minute)
${sa.host}     The Security Analytics host name as configured in Reporting Engine.
${device.id}      The Security Analytics device id of the data source.

The Alert Notification section has four tabs:

  • Record
  • SMTP
  • SNMP
  • Syslog

Record Tab

The Record tab allows you to define the frequency for recording an alert and the message that you want to generate when an alert fires.
106_alert_RECORD_pane.png

The following table lists the various fields in the Record tab and their description.

                     
FieldDescription
ExecuteIndicates the frequency for recording an alert.
  • Once - Record the alert only once based on the alert interval no matter how often the alert fires. Security Analytics records the number of times that alert has actually fired during that interval in the log file so that analysts know how many times that alert registered a match over a given day.
  • Each Event - Record the alert each time as it fires. If an alert fires unlimited number of times during a day, that alert is often treated as noise and can be ignored, except in case of alerts that require continuous monitoring such as network configuration changes and DDOS attacks.

Note: Select Each Event setting from the Execute drop-down list for SNMP and Syslog output actions. 

BodyIndicates the body of the message.
Body Template(Optional) If templates have been defined, you can select a template for the alert message. 

SMTP Tab

The SMTP tab allows you to define the SMTP (email) output for this alert.
106_alert_SMTP_pane.png

The following table lists the various fields in the SMTP tab and their description.

                             
FieldDescription
ExecuteIndicates the number of times that you want to send an email message for the alert.
  • Once - Sends only one email for an interval, if alert fires in that interval, irrespective of how many alerts fired.
  • Each Event - Send an email with the alert for every event in which the rule criteria are met.
ToIdentifies the email address or comma-separated list of email addresses to which you want to send this alert. 
SubjectIndicates the subject of the email message.
BodyIndicates the body of the message.
Body Template(Optional) If templates have been defined, select a template for the SMTP message that you can use as is or modify.

SNMP Tab

The SNMP tab allows you to define the SNMP output for the alert.
106_alert_SNMP_pane.png
The following table lists the various fields in the SNMP tab and their description.

                     
FieldDescription
ExecuteIndicates the number of times that you want to send an SNMP output for the alert.
  • Once - Sends an SNMP message along with an email for an interval, if alert fires in that interval, irrespective of how many alerts fired.
  • Each Event - Send an SNMP message with the alert for every event in which the rule criteria are met.
BodyIndicates the body of the message.
Body Template(Optional) If templates have been defined, select a template for the SNMP message that you can use as is or modify.

Syslog Tab

The Syslog tab allows you to define the Syslog message output for this alert.
106_alert_Syslog_pane.png

Clicking add_button.png allows you to add Syslog configuration to an alert. The New Syslog Configuration dialog box is displayed:
106_new_syslog_config_dialog.png
The following table describes the fields in the New Syslog Configuration dialog:

                                 
FieldDescription
Syslog ConfigsIndicates the Syslog configuration defined in the Syslog Configuration panel of the Device Config view.
ExecuteIndicates the number of times that you want to send a Syslog output for the alert.
  • Once - Sends a Syslog output along with an email for an interval, if alert fires in that interval, irrespective of how many alerts fired.
  • Each Event - Send a Syslog output with the alert for every event in which the rule criteria are met.
FacilityIndicates the type of program logging the message. Several examples for the type of programs: syslog, daemon, mail, kernel.
SeverityIndicates the severity level of the alert fired.
  • Emergency
  • Alert
  • Critical
  • Error
  • Warning
  • Notice
  • Informational
  • Debug
BodyIndicates the body of the message.
Body Template(Optional) If templates have been defined, select a template for the Syslog message that you can use as is or modify.

Alert Description Section

The Alert Description section allows you to provide a description for the alert.
106_alert_descr_pane.png

The following table describes the fields in the Alert Description section.

                     
FieldDescription
DescriptionIdentifies the description of the alert.
CreateCreates the alert. (This option is displayed when you create an alert.)
SaveSaves the changes made to the alert. (This option is displayed when you modify an alert.)
You are here: Reporting Module References > Alert References > Create or Modify Alert View

Attachments

    Outcomes