Incident Management Config: Set Counter for Matched Alerts and Incidents

Document created by RSA Information Design and Development on Mar 22, 2017Last modified by RSA Information Design and Development on Mar 24, 2017
Version 3Show Document
  • View in full screen mode
  

This procedure is optional. Administrators can use it to change when the count for matched alerts is reset to 0. The Aggregation Rules tab displays these counts in columns on the right.

matched_col.png

These columns provide the following information for a rule: 

  • Last Matched column shows the time when the rule last matched alerts.
  • Matched Alerts column displays the number of matched alerts for the rule.
  • Incidents column displays the number of incidents created by the rule.

By default, these values reset to zero every 7 days. Depending on how long you want the counts to continue, you can change the default number of days.

Note: When the counter resets to zero, only the numbers in the three columns change to zero. No alerts or incidents get deleted.

To set a counter for matched alerts and incidents:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select an Incident Management service, then select ic-actns.png > View > Explore.
  3. In the Explore view on the left, select Service > Configuration > ruleEngine.
    counter_reset.png
  4. In the right panel, type the number of days in the CounterResetInDays field.
  5. Restart the service for the new setting to take effect: 

    1. Select Services.
    2. Select the service, then click ic-actns.png > Restart.  
You are here
Table of Contents > Set Counter for Matched Alerts and Incidents

Attachments

    Outcomes