Reporting: Create or Modify Alert Panel

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 9Show Document
  • View in full screen mode

The Create or Modify alert panel is a panel in the Alert List view. This panel allows you to create or modify an alert as per the requirement.

Workflow

alert view workflow

What do you want to do?

                                           
RoleI want to...Documentation

Administrator/ Analyst

Configure Reporting Engine

Configure Reporting Engine

Administrator/ Analyst

Configure an alert*

Configure an Alert

Administrator/ Analyst

Schedule an alertSchedule an Alert

Administrator/ Analyst

View an alert

View an Alert

Administrator/ AnalystInvestigate an alertInvestigate an Alert
Administrator/ AnalystManage an alert and alert templateManage an Alert and Alert Template

*You can complete these tasks here.

Related Topics

Alerting Overview

Configure an Alert

Quick View

The following figure is an example with the important features labeled.

create modify alert

                             
1Click MonitorReports to view the Manage tab.
2Click Alerts to open the Alert view.
3

Click to navigate to the Create or Modify Alert panel.

4Enable the alert, navigate the rule, and select a data source to alert.
5Enter a brief description of an alert.
6Define the alert notification methods(RECORD, SMTP, SNMP, Syslog) to alert, when an alert condition is matched.

The Create or Modify Alert panel has the following sections:

  • Alert Definition
  • Alert Description
  • Alert Notification

Alert Definition

The following table describes the fields in the Alert Definition:

                         
FieldDescription
Enable
  • Enable activates the alert. The alert executes and sends output actions every minute (by default) when the alert conditions are met.
  • Disable deactivates the alert. The alert does not execute and does not send any output actions.
Rule BasisClick Browse to display the Rules Library panel from which you select the rule that is the basis of this alert.
You must select a rule that has a unique 'where' clause for an alert.
Data SourcesSpecifies the data source for the alert.
Push to decodersPushes the ‘where’ clause of the alert rule to Decoders connected to the selected NWDB data source. This is the recommended option used to create RE alerts, as the alert conditions are checked on the Decoder itself and the alert queries will be comparatively faster in NWDB.
If you deselect this option, the alert rule ‘where’ clause will be queried against the selected NWDB data source. Based on the complexity and metas in the ‘where’ clause of the rule, the alert queries might take more time to process in NWDB.

Note: NetWitness does not send rules to the Decoder automatically.

Alert Description

The following table describes the fields in the Alert Description:

                     
FieldDescription
DescriptionDescribes the alert.
CreateCreates the alert. (This option is displayed when you create an alert.)
SaveSaves the changes made to the alert. (This option is displayed when you modify an alert.)

Alert Notification

The Alert Notification allows you to define the notification action NetWitness takes when an alert is generated, for example, recording or sending the alert using one of the defined output actions. The output actions are Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), or Syslog message.

The Notification contains the default Record tab, which you use to create an alert. The icon beside the Record tab allows you to select the notification type from the drop-down list for the output to specify for the alert: SMTP, SNMP, or Syslog.

Depending on the selected notification type, the Notification section is populated with predefined text that contains variables that add Meta that is appropriate for the alert. In the Reporting Engine, these variables are replaced with actual values. The following table lists the variables and their descriptions.

                                 
VariableDescription
${meta.<metakey>} The meta key value.

Note: If the <metakey> did not fetch any value, an empty string("") is printed. 
By default, Reporting Engine displays all the repeated values for a meta key. If you do not want the meta values to repeat in the Alert output, enable the "removeRepeatedMetaValue" option by navigating to Configuration > Alert Configuration available for the Reporting Engine in the Services - Configuration > Explore view.
For example, in an HTTP Session the value for the action is displayed as get, get, put, put, post, get. When this option is enabled, the value is displayed as get, put, post.

${meta.time} / ${meta.time:<time_format>} ${meta.time} - The session time is printed in  "yyyy-MMM-dd HH:mm:ss" format.
${meta.time:<time_format>} - The session time is printed in the user-defined custom time format. For example, ${meta.time:dd-MM-yyyy HH:mm:ss}.
For more information on the supported time formats, see  http://docs.oracle.com/javase/7/docs/api/java/text/SimpleDateFormat.html

Note: If the time format provided by the user is invalid, the default time format will be used. The default time format is "yyyy-MMM-dd HH:mm:ss".

${name}      The alert name defined in Reporting Engine.
${count}     The number of times an alert is detected in a given time frame. (By default, it is one minute)
${nw.host}     The NetWitness host name as configured in Reporting Engine.
${device.id}      The NetWitness device ID of the data source.

The Alert Notification has four tabs:

Record Tab

Use the Record tab to define the frequency for recording an alert and the message to generate when an alert is generated.

alert record pane

The following table lists the fields in the Record tab and their description.

                     
FieldDescription
ExecuteThe frequency for recording an alert.
  • Once - Record the alert only once based on the alert interval no matter how often the alert is generated. NetWitness records the number of times the alert has actually generated during that interval in the log file so that analysts know how many times the alert registered a match over a given day.
  • Each Event - Record the alert each time as it generates. If an alert generates unlimited number of times during a day, that alert is often treated as noise and can be ignored, except in case of alerts that require continuous monitoring such as network configuration changes and DDOS attacks.

Note: Select Each Event setting from the Execute drop-down list for SNMP and Syslog output actions. 

BodyThe body of the message.
Body Template(Optional) If templates have been defined, select a template for the alert message. 

SMTP Tab

The SMTP tab allows you to define the SMTP (email) output for this alert.

alert SMTP pane

The following table lists the fields in the SMTP tab and their description.

                             
FieldDescription
ExecuteThe frequency to send an email message for the alert.
  • Once - Sends only one email for an interval, if an alert generates in that interval, irrespective of how many alerts generated.
  • Each Event - Send an email with the alert for every event in which the rule criteria are met.
ToThe email addresses to which to send this alert. 
SubjectThe subject of the email message.
BodyThe body of the message.
Body Template(Optional) If templates have been defined, select a template for the SMTP message that you can use as is or modify.

SNMP Tab

The SNMP tab allows you to define the SNMP output for the alert.

alert SNMP pane
The following table lists the various fields in the SNMP tab and their description.

                     
FieldDescription
ExecuteThe frequency to send an SNMP output for an alert.
  • Once - Sends an SNMP message along with an email for an interval, if an alert generates in that interval, irrespective of how many alerts generated.
  • Each Event - Sends an SNMP message with the alert for every event in which the rule criteria are met.
BodyThe body of the message.
Body Template(Optional) If templates have been defined, select a template for the SNMP message to use as is or modify.

Syslog Tab

The Syslog tab allows you to define the Syslog message output for this alert.

alert syslog pane

Click to add Syslog configuration to an alert. The New Syslog Configuration dialog box is displayed:

new syslog configuration
The following table describes the fields in the New Syslog Configuration dialog:

                                 
FieldDescription
Syslog ConfigsThe Syslog configuration of the Device Config view located at the Syslog Configuration panel .
ExecuteThe number of times that you want to send a Syslog output for the alert.
  • Once - Sends a Syslog output along with an email for an interval, an alert generates in that interval, irrespective of how many alerts generated.
  • Each Event - Sends a Syslog output with the alert for every event in which the rule criteria are met.
FacilityThe type of program logging the message. Examples for the type of programs are Syslog, Daemon, Mail, and Kernel.
SeverityThe severity level of the alert that generated.
  • Emergency
  • Alert
  • Critical
  • Error
  • Warning
  • Notice
  • Informational
  • Debug
BodyThe body of the message.
Body Template(Optional) If templates have been defined, select a template for the Syslog message to use as is or modify.
Previous Topic:Alert Schedules View
You are here
Table of Contents > Alerting References > Create or Modify Alert Panel

Attachments

    Outcomes