SysMaint: Security Analytics Out-of-the-Box Policies

Document created by RSA Information Design and Development on Jul 29, 2016Last modified by Susan Ewald on Nov 1, 2016
Version 2Show Document
  • View in full screen mode
 

Security AnalyticsOut-of-the-Box Policies

The following table lists the Security Analytics Out-of-the-Box Policies with the rules defined for each policy. 

You can perform the following tasks on any of these policies:

  • Change service/group assignments.
  • Disable/enable them.

You cannot perform the following tasks on any of these policies:

  • Delete them.
  • Edit Policy names.
                                                                                                                                                                                                                                                                                                                                                                 
Policy NameRule NameAlarm Triggered
SA Host Monitoring PolicyCritical Usage on Rabbitmq Message Broker FilesystemFor var/lib/rabbitmq, Mounted Filesystem Disk Usage goes over 75%.
Filesystem is FullOverall Mounted Filesystem Disk Usage reaches 100%.
High Filesystem UsageOverall Mounted Filesystem Disk Usage goes over 95%.
High System Swap UtilizationSwap Utilization goes under 5 % for 5 minutes or more.
High Usage on Rabbitmq Message Broker FilesystemMounted Filesystem Disk Usage for var/lib/rabbitmq goes over 60%.
Host UnreachableHost down.
Power Supply FailureHost not receiving power.
RAID Logical Drive DegradedFor Raid Logical Drive,  Drive State equals Degraded or Partially Degraded.
RAID Logical Drive FailedFor Raid Logical Drive, Logical Drive State equals Offline, Failed, or Unknown.
RAID Logical Drive RebuildingFor Raid Logical Drive, Logical Drive State equals Rebuild.
RAID Physical Drive FailedFor Raid Physical Drive, Physical Drive State does not equal Online, Online Spun Up, or Hotspare.
RAID Physical Drive Failure PredictedFor Raid Physical Drive, Physical Drive Predictive Failure Count is greater than 1.
RAID Physical Drive RebuildingFor Raid Physical Drive, Physical
Drive State equals Rebuild.
RAID Physical Drive UnconfiguredFor Raid Physical Drive, Physical
Drive State contains Unconfigured(good).
SD Card FailureSD Card Status does not equal ok.
SA Archiver
Monitoring Policy
Archiver Aggregation StoppedArchiver Status does not equal started.
Archiver Database(s) Not OpenDatabase Status does not equal opened.
Archiver Not Consuming From ServiceDevices Status does not equal consuming.
Archiver Service in Bad StateService State does not equal started or ready.
Archiver Service StoppedServer Status does not equal started.
SA Broker Monitoring PolicyBroker >5 Pending QueriesQueries Pending greater than or equal to 5 for 10 minutes or more.
Broker Aggregation StoppedBroker Status does not equal started.
Broker Not Consuming From ServiceDevices Status does not equal consuming.
Broker Service in Bad StateService State does not equal started or ready.
Broker Service StoppedServer Status does not equal started.
Broker Session Rate ZeroSession Rate (current) equals 0 for 2 minutes or more.
Security Analytics
Concentrator Monitoring Policy
Concentrator >5 Pending QueriesQueries Pending greater than or equal to 5 for 10 minutes or more.
Concentrator Aggregation Behind >100K SessionsDevices Sessions Behind is greater than or equal to 100000 for 1 minute or more.
Concentrator Aggregation Behind >1M SessionsDevices Sessions Behind is greater than or equal to 1000000 for 1 minute or more.
Concentrator Aggregation Behind >50M SessionsDevices Sessions Behind is greater than or equal to 50000000 for 1 minute or more.
Concentrator Aggregation StoppedBroker Status does not equal started.
Concentrator Database(s) Not OpenDatabase Status does not equal opened.
Concentrator Meta Rate ZeroConcentrator Meta Rate (current) equals 0 for 2 minutes or more.
Concentrator Not Consuming From ServiceDevices Status does not equal consuming.
Concentrator Service in Bad StateService State does not equal started or ready.
Concentrator Service StoppedServer Status does not equal started.
Security Analytics Decoder
Monitoring Policy
Decoder Capture Not StartedCapture Status does not equal started.
Decoder Capture Rate ZeroCapture Rate (current) equals 0 for 2 minutes or more.
Decoder Database Not OpenDatabase Status does not equal opened.
Decoder Dropping >1% of PacketsCapture Packets Percent Dropped (current) is greater than or equal to 1%.
Decoder Dropping >10% of PacketsCapture Packets Percent Dropped (current) is greater than or equal to 10%.
Decoder Dropping >5% of PacketsCapture Packets Percent Dropped (current) is greater than or equal to 5%.
Decoder Packet Capture Pool DepletedPacket Capture Queue equals 0 for 2 minutes or more.
Decoder Service in Bad StateService State does not equal started or ready.
Decoder Service StoppedServer Status does not equal started.
Security Analytics Event Steam Analysis
Monitoring Policy

 
 
 
 
ESA Overall Memory Utilization > 85%Total ESA Memory Usage % is greater than or equal to 85 %.
ESA Overall Memory Utilization > 95%Total ESA Memory Usage % is greater than or equal to 95 %.
ESA Service StoppedServer Status does not equal started.
ESA Trial Rules DisabledTrial Rules Status does not equal enabled.
Security Analytics IPDB
Extractor
Monitoring
Policy
IPDB Extractor Service in Bad StateService State does not equal started or ready.
IPDB Extractor Service StoppedServer Status does not equal started.
Security Analytics Incident Management
Monitoring
Policy
Incident Management Service StoppedServer Status does not equal started.
Security Analytics Log Collector
Monitoring
Policy
Log Collector Service StoppedServer Status does not equal started.
Log Decoder Event Queue > 50% FullNumber of events currently in the queue is using 50% or more of the queue.
Log Decoder Event Queue > 80% FullNumber of events currently in the queue is using 80% or more of the queue.
Log Collector Service in Bad StateService State does not equal started or ready.
Security Analytics Log Decoder
Monitoring
Policy
Decoder Dropping>10% of PacketsCapture Packets Percent Dropped (current) is greater than or equal to 10%
Log Capture Not StartedCapture Status does not equal started.
Log Decoder Capture Rate ZeroCapture Rate (current) equals 0 for 2 minutes or more.
Log Decoder Database Not OpenDatabase Status does not equal opened.
Log Decoder Dropping >1% of LogsCapture Packets Percent Dropped (current) is greater than or equal to 1%.
Log Decoder Dropping >5% of LogsCapture Packets Percent Dropped (current) is greater than or equal to 5%.
Log Decoder Packet Capture Pool DepletedPacket Capture Queue equals 0 for 2 minutes or more.
Log Decoder Service StoppedServer Status does not equal started.
Log Decoder Service in Bad StateService State does not equal started or ready.
Security Analytics Malware Analysis
Monitoring
Policy
Malware Analysis Service StoppedServer Status does not equal started.
Security Analytics Reporting Engine Monitoring
Policy
Reporting Engine Alerts Critical UtilizationAlerts Utilization is greater than or equal to 10 for 5 minutes or more.
Reporting Engine Available Disk <10%Available disk space is less than 10%. 
Reporting Engine Available Disk <5%Available disk space is less than or equal to  5%. 
Reporting Engine Charts Critical UtilizationCharts Utilization is greater than or equal to 10 for 5 minutes or more.
Reporting Engine Rules Critical UtilizationRules Utilization is greater than or equal to 10 for 5 minutes or more.
Reporting Engine Schedule Task Pool Critical UtilizationSchedule Task Pool Utilization is greater than or equal to 10 for 15 minutes or more.
Reporting Engine Service StoppedServer Status does not equal started.
Reporting Engine Shared Task Critical UtilizationShared Task Pool Utilization is greater than or equal to 10 for 5 minutes or more.
Security Analytics Warehouse Connector
Monitoring
Policy
Warehouse Connector Service in Bad StateService State does not equal started or ready.
Warehouse Connector  Service StoppedServer Status does not equal started.
Warehouse Connector  Stream BehindStream Behind is greater than or equal to 2000000.
Warehouse Connector  Stream Disk Utilization > 75%Stream Disk Usage (Pending Destination Load) is greater than or equal to 75.
Warehouse Connector Stream in Bad StateStream Status does not equal consuming or online for 10 minutes r more.
Warehouse Connector Stream Permanently Rejected Files > 300Number of files in the permanently rejected files is greater than or equal to 300.
Warehouse Connector Stream Permanently Rejected Folder > 75% FullRejected folder usage is greater than or equal to 75%.
Security Analytics Workbench Monitoring PolicyWorkbench Service in Bad StateService State does not equal started or ready.
Workbench Service StoppedServer Status does not equal started.
You are here: References > Health and Wellness > Policies View > Security Analytics Out-of-the-Box Policies

Attachments

    Outcomes