This topic describes automatic alerts, which are based on baseline settings.
Note: Automatic alerting, and all of the parameters that determine its behavior, are currently in Beta testing.
You can set up policies and thresholds for your event source groups. You do this so that you receive notifications when the thresholds are not met. Security Analytics also provides an automatic way to receive alarms, if you do not want to set up thresholds to generate alarms.
To trigger automatic alerts, you can use baseline values. This way, you do not need to set up numerous group thresholds and policies in order to receive alerts. Any anomalous amount of messages trigger alerts, without needing to do any configuration (except for turning on automatic alerting).
Note the following:
- Once you begin collecting messages from an event source, it takes the system approximately a week to store a baseline value for that event source. After this initial period, the system alerts you when the number of messages for a period are above or below the baseline by a set amount. By default, this amount is 2 standard deviations above or below the baseline.
- Base your high and low deviation settings on how "regular" your event sources behave. That is, if you expect little or no variance in the number of messages that arrive for a given time (for example, 8 to 9 am on a weekday), then you can set a low value for the Deviation. Conversely, if you often see peaks and valleys, set the Deviation value higher.
- If you enable a policy, but do not have any thresholds set, then you can still receive automatic (baseline) notifications, as long as you have turned on automatic alerting.