Reporting: Add an Alert

Document created by RSA Information Design and Development on Mar 23, 2017
Version 1Show Document
  • View in full screen mode
  

This topic provides instructions on how to add an alert.

Prerequisites

Make sure that:

  • You have rules defined with unique where clauses before you add an alert.
  • You have decoders connected to the concentrator added to the Reporting Engine for the selected data source, before adding an alert rule.
  • You have understood the components of the Create/Modify Alert view. For more information, see Create or Modify Alert View.

Procedure

Perform the following steps to add an alert:

  1. In the Security Analytics menu, click AdministrationReports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert toolbar, click add_button.png.

    The Create/Modify Alert tab is displayed.

    add_alert_tabbd_104.png

    Note:  If you want to add a metakey in the rule, specify the same in the format: ${meta.metakey}. For example, ${meta.ip.dst}.

  4. Click Enable to enable the alert.
  5. In the Rule Basis field, do the following:

    1. Click Browse.
      The Lookup Rule Basis dialog box is displayed.
    2. Navigate the Rule tree and select a rule.
    3. Click OK.
      The Rule name is displayed in the Rule Basis field.
  6. Select a data source from the Data Sources drop-down list.

    Note: If the data source is not listed, then ensure you have Read permissions set for the data source. This is applicable for NWDB and Warehouse data source. For more information, see Configure Data Source Permissions topic in the Host and Services Configuration Guide.

  7. Select the Push to decoders checkbox for the Reporting Engine to send the rule to the Decoder.
  8. (Optional) Enter an alert description in the Description field.
  9. Select the severity level from the Severity drop-down list.
  10. In the Notification field, do the following:

    1. Select the appropriate notification.
      The selected notification tab is displayed in the Create/Modify Alert dialog box.
    2. (Optional) De-select the notification to disable the notification tab.
    3. Define the action in one of the Notification tabs:

      1. In the Record tab field, do the following:
        1. From the Execute drop-down list, select the frequency for recording an alert. 
        2. Enter the RECORD message. You can create the message from scratch or select a template in the Body Template field and modify the template here.
        3. (Optional) If templates have been defined, select a template for the RECORD message that you can use as is or modify.
      2. In the SMTP tab field, do the following:
        1. From the Execute drop-down list, select a value to identify the number of times that you want to send an email message for the alert.
        2. Enter an email address or comma-separated list of email addresses to which you want to send this alert. 
        3. Enter the subject of the email message.
        4. Enter the body of the message. You can create the message from scratch or you can select a template in the Body Template field and modify the template here.
        5. (Optional) If templates have been defined, select a template for the SMTP message that you can use as is or modify.
      3. In the SNMP tab field, do the following:
        1. From the Execute drop-down list, select a value to identify the number of times that you want to send an SNMP message for the alert.
        2. Enter the SNMP message. You can create the message from scratch or select a template in the Body Template field and modify the template here.
        3. (Optional) If templates have been defined, select a template for the SNMP message that you can use as is or modify.
      4. In the Syslog tab field, do the following:

        Note: You can configure Multiple Syslog servers on the Syslog Configuration panel. For more information, see Reporting Engine Output Actions topic in the Host and Services Configuration Guide.

        1. Click add_button.png.
          The New Syslog Configuration dialog box is displayed.
          new_syslog_config_dialog_104.png
        2. From the Syslog Configs drop-down list, select a value for the syslog configuration.
        3. From the Execute drop-down list, select a value to identify the number of times that you want to send a Syslog message for the alert.
        4. Select the facility from the Facility drop-down list.
        5. Select the severity level from the Severity drop-down list.
        6. Enter the Syslog message. You can create the message from scratch or select a template in the Body Template field and modify the template here.
        7. (Optional) If templates have been defined, select a template for the Syslog message that you can use as is or modify.
        8. Click Save.
          The Syslog configuration gets added to the alert.
  11. Click Create.
    Security Analytics creates the alert with a confirmation message that the alert is saved successfully. Security Analytics fires the alert and executes the output actions every minute.
Previous Topic:Define Alerts
Next Topic:Delete an Alert
You are here
Table of Contents > Working with Alerts in the Reporting Module > Define Alerts > Add an Alert

Attachments

    Outcomes