Alarm life cycleΒΆ
As part of its functions, the Plixer Scrutinizer Alarm Monitor automatically manages Alarms following a framework that reduces the overall volume of Alarms while still allowing for full transparency.
The framework can be summarized in the following Alarm life cycle:
- Observations
- All Alarms start out as a single Observation, such as a device state change, irregular traffic, or unexpected resource usage, that has been identified as a potential problem or threat by the Plixer ML Engine, Flow Analytics, or a user-defined threshold.
- Policies
- After verifying the Alarm Policy that has been triggered, the system identifies the unique criteria involved and starts monitoring the Observation as an Event.
- Events
- Further Observations linked to the same Policy and criteria, up to a specified timeout value, are aggregated as the same Event, which can be sent to the Alarm Monitor, forwarded to another device, system or notification channel, or completely ignored.
- Acknowledged
- Alarms are received and inspected by NetOps or SecOps teams, who can then respond to the Event(s). After a resolution has been reached, the Events should be acknowledged to clear it from the Alarm Monitor view. Acknowledged Events are hidden by default but remain accessible for viewing, reporting, and other functions.
- Expired
- All Events, acknowledged or not, are retained in the system until a specified period of time has passed or the configured storage limit has been reached. Once either threshold has been reached, the Event will expire and be removed from the system entirely.