|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Health and Wellness
RSA Version/Condition: 10.6.2
|Issue||Here are two examples where you may need to modify your out-of-the-box policies when getting false alarms:|
Health and Wellness sends an alert based on the Broker if the session rate is > 30 minutes then an alarm will be sent:
But, the Broker may aggregate from a device in this environment in bursts of about every 30 minutes. This is too close to the time when a false alarm would trigger an alert.
Health and Wellness sends an alert if the SD Cards are Unknown.
The alarm in this environment will send because the SD Cards are neither ok or not readable (SD Cards are not enabled) but unknown.
|Resolution||1. Click the Copy buttom to copy the out-of-the-box policy:|
2. Disable the out-of-the-box policy by deselecting the enable checkbox of the out-of-the-box policy and click the Save button in the top right corner.
3. For the copied policy, click the "Enable" checkbox and click the Save button.
Now, you can modify the policy while maintaining a copy of the original out-of-the-box policies if they need to be reverted.
In the first example we could adjust the alarm threshold from 30 minutes to 60 minutes (or to whatever the range of time between an aggregation would likely occur on the broker).
In the second example we would disable the host SD Card failure policy because the device is upgraded to 10.6.2 where SD cards are reported as unknown. You can use the ipmitool (https://community.rsa.com/docs/DOC-39435) to confirm the status of your SD Cards until you are able to backup SA and other appliances, build stick to 10.6, and upgrade to the version that was backed up and restore.