The Event Source module in Security Analytics displays alarms and sends notifications based on alarms that are triggered.
For alarms, consider the following:
Alarms are of two types: automatic (triggered when baselines are exceeded or not met) and manual (configured using thresholds).
- Automatic: If you turn on automatic alerts, the system reports alarms for all event sources that go above or below their normal baselines by the required amount. You can specify the over / under percentage on the Settings Tab.
- Manual: If you turn off automatic alerts, you receive alarms only for the event source groups for which you have specified—and enabled—policies (and thresholds).
- Alarms appear on the UI, in the Alarms Tab.
For notifications, consider the following:
To receive manual notifications (via email, SNMP or Syslog):
- Specify a policy for an event source group.
- Set a high or low (or both) threshold.
- Enable the policy.
To receive automatic (baseline) notifications:
- Baseline alerting must be on. This is turned on by default.
- You must enable notifications from automatic monitoring. See Configure Automatic Alerting for details.
- The event source that triggers the alarm must be in a group that has a policy enabled.
If you have automatic alerting turned o, and you have configured a policy and threshold for a group:
- If the event source goes outside its baseline, you see an automatic alert and receive a notification.
- If the event source goes outside its thresholds, you see a manual alert and receive a notification.
- If both occur (threshold and baseline exceeded or not met), you receive two alarms (visible on the Alarms tab) and a notification that indicates both alarms. That notification will list the event source that double alarmed twice; one listing indicating it was an automatic alarm.
Large Email Notifications
If you have set up email notifications, keep in mind that the email can grow very large, depending on the number of event sources in the notification.
If the number of event sources in the alarmed state exceeds 10,000, then the email notification contains the details for only the first 10,000 and a total count. This is to ensure that the email is successfully delivered.
High and Low Thresholds Both Triggered
There may be occasions when both the high and low alarms are both triggered for a particular event source group. The easiest way to see when this happens is to read the email header, which clearly states when both thresholds are triggered, as shown in this image:
In this example, the header states, "High threshold and Low threshold triggered on ciscopix group." To see the details for the low threshold event sources, you may need to scroll down past hundreds, or even thousands, of the high threshold event sources.