000034750 - How to handle false alerts received from Health and Wellness on RSA Netwitness Suite

Document created by RSA Customer Support Employee on Feb 22, 2017Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034750
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Health and Wellness
RSA Version/Condition: 10.6.2
IssueHere are two examples where you may need to modify your out-of-the-box policies when getting false alarms:
Health and Wellness sends an alert based on the Broker if the session rate is > 30 minutes then an alarm will be sent:
Broker OOTB policy session rate zero
But, the Broker may aggregate from a device in this environment in bursts of about every 30 minutes.  This is too close to the time when a false alarm would trigger an alert.
Health and Wellness sends an alert if the SD Cards are Unknown.
OOTB host policy for SD Cards
The alarm in this environment will send because the SD Cards are neither ok or not readable (SD Cards are not enabled) but unknown.
Resolution1. Click the Copy buttom to copy the out-of-the-box policy:
Copu OOTB Policy
2. Disable the out-of-the-box policy by deselecting the enable checkbox of the out-of-the-box policy and click the Save button in the top right corner.
3. For the copied policy, click the "Enable" checkbox and click the Save button.
Enable policy
Now, you can modify the policy while maintaining a copy of the original out-of-the-box policies if they need to be reverted.
In the first example we could adjust the alarm threshold from 30 minutes to 60 minutes (or to whatever the range of time between an aggregation would likely occur on the broker).
In the second example we would disable the host SD Card failure policy because the device is upgraded to 10.6.2 where SD cards are reported as unknown.  You can use the ipmitool (https://community.rsa.com/docs/DOC-39435) to confirm the status of your SD Cards until you are able to backup SA and other appliances, build stick to 10.6, and upgrade to the version that was backed up and restore.