ESM: Alarms Tab

Document created by RSA Information Design and Development on Mar 22, 2017
Version 1Show Document
  • View in full screen mode
  

The Alarms tab presents the details for Event Sources that are currently in violation of a policy and threshold. Only Event Sources in violation of a policy appear in the list. Once the event source returns to a normal state, the corresponding alarm disappears from the list.

To access this tab, in the Security Analytics menu, select Administration > Event Sources > Alarms.

esm_alarm.png

For procedures related to this tab, see View Event Source Alarms.

Features

The Alarms tab contains the following features.

                                                             
FeatureDescription
Event Source

The IP, IPv6, or Hostname of the event source that is alarmed.

Event Source Type

The type of the alarmed event source. For example, winevent_nic (for Microsoft Windows) or rhlinux (for Linux).

Group

This is the event source group that contains the event source for which the alarm has been triggered.

Alarm

The type of threshold that was triggered: High or Low

Threshold Violated

The conditions of the threshold that was triggered. For example:

5,000,000 events in 5 minutes

Event Count

The number of events in the threshold time period causing the alarm.

Alarmed Time

The initial time the event source went into an alarmed state.

Note: When you first access this view, the data is sorted by this column (most recent alarm first).

Elapsed Time

Elapsed time since the event source entered an alarmed state.

Last Updated Time

The last time the event source was confirmed to be in an alarmed state.

Note: This column is hidden by default.

Log Collector

The Log Collector last collecting from this event source.

Log Decoder

The Log Decoder last receiving from this event source.

Type

Alarm type is either Manual or Automatic:

  • Manual: these are alarms that violate the configured threshold policy.
  • Automatic: these are alarms that deviate from the baseline for the alarmed event source.
Filter ic-filt.png

Select the Filter icon to display the Filter menu:

esm_alarmFilter.png

Select either Automatic or Manual:

  • If you select Automatic, only the alerts that are based on baselines are displayed.
  • If you select Manual, only the alarms for which you have set thresholds are displayed.

Note: You can hide or show columns by right-clicking in the table header and choosing Columns from the drop-down menu. Select a column to display it, or clear the column to hide it.

Previous Topic:Reference
You are here
Table of Contents > Reference > Alarms Tab

Attachments

    Outcomes