ESM: Configure Event Source Group Alerts

Document created by RSA Information Design and Development on Mar 22, 2017
Version 1Show Document
  • View in full screen mode
  

Each event source group can have its own alerting policy. This includes setting the thresholds for when to alert, and setting the notification type when an alert is triggered. This topic describes the steps involved in creating an alert policy for an event source group.

Create an Alert Policy for an Event Source Group

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. Select the Monitoring Policies tab.
  3. In the Event Groups panel, select a group.
  4. Enter values for the Low Threshold and High Threshold fields.

    This is an example of alert thresholds.

    ESM_alerts01.pnges

  5. Select Enable and click Save to enable the alert policy that you have configured.

Note: If you make changes to a policy, and attempt to exit the page before you save your changes, an Unsaved Changes warning message is displayed:

esm_policyChgWrn.png

Set and View the Thresholds for an Alert Policy

Every event source group is also an alert policy. Thresholds are part of an alert policy. You can set thresholds for each alert policy. For each policy, you can set a low threshold, a high threshold, or both. Additionally, you can enable a policy without setting any thresholds; this allows you to receive notifications based on automatic alerts. Automatic alerts are generated when the baseline for an event source is out of normal bounds.

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. Select the Monitoring Policies tab.
  3. In the Event Groups panel, select a group.
    Any thresholds set for the selected group are displayed in the Thresholds panel.

    ESM_Threshold2.png

  4. Edit the values in either the Low or High Threshold as follows:

    1. Enter the number of events for the threshold.
    2. Enter the number of minutes or hours for the threshold. The minimum value is 5 minutes.

    Note: For each threshold, you can set either the low values, the high values, or both.

  5. Select Enable to enable alarms when thresholds are not met.

    Note: If you configure a threshold and attempt to save the page without enabling it, you receive a confirmation message, asking you whether or not to enable the policy: ddd
    esm_policy_conf.jpg

For example, suppose you enter 10 and 30 for the values for the low threshold: 10 events in 30 minutes, and 20 and 30 for the values for the high threshold: 20 events in 30 minutes. This means that you expect between 10 to 20 events are logged in 30 minutes (for the selected event source group). That is, anything between the low and high threshold is considered normal, and does not trigger an alarm.

Note: Once you add a threshold for a policy, you cannot delete it. You can disable the policy, or set the low or high threshold to 0 events in 5 minutes. Five minutes is the minimum duration for a threshold.

Previous Topic:Monitor Policies
You are here
Table of Contents > Monitor Policies > Configure Event Source Group Alerts

Attachments

    Outcomes