Setting up Alerting- Idiots Guide?
It sounds like you've created the correlated rule. That is typically the first step to creating the "Alert". The next step would be to add that Rule to a View. A view is a container that can hold one or more rules. Adding a rule to a view takes a few steps.
1) Create a View if you don't already have one in place.
2) Find the rule that you are trying to add
* In the filter window, top section of the right hand window, click on the attribute dropdown and select Correlation/Correlation
* Click Apply in the top window
* In the bottom window select the correlation class that you identified for your rule, default is NIC Security Correlated Class
* Click OK
* Click Next
* In the top section of the new window click Apply
* In the bottom section a list of Rules will appear, find and select your Rule from the list
* Click OK
* Click Finish
The third part is the Output action. You will first need to create the output action.
Click on the Output Action section on the left side of the enVision GUI under the Alerts -> Alert Configuration tab.
1) Click Manage Output Actions
2) Click the Add button on the bottom right window
3) Name the new Output action
4) Select an Action Type (SMTP for email)
5) Fill in the required fields
6) Click Apply to save the Output Action
Apply the Output Action to the Alert you've created.
1) Click on Views -> Manage Views
2) Click on the Edit link across from the view that contains the Rule you want to add the output action to
3) A list of all the rules in that view will appear. Under the Output Action column click on the link (initially OFF)
4) A new window will appear displaying all available output actions, select the Output Action(s) you want to apply to the rule.
5) Click Finish
As a warning I will advise you not to turn on any output actions intially until the view has run for a period of time to ensure that you do not spam an email box with alerts. It's common to turn on a rule and find out after that you should have applied additional filters or restricted certain events. Good luck, Steve
To get an idea of the correlation classes I would recommend navigating to the Manage Correlation Rules section in the Alert Tab:
The rules that are listed in the right hand window are each in a class. Most are in the Security Correlated Class. When you create a correlation rule in this section you can choose what class it is part of. If the rule that you want is in the Security Correlation Class, you would select this class in the View in the 'correlation classes' part.