Alarm Monitor#
The Admin > Alarm Monitor category covers the configuration and management views for functions related to events/detections and alert delivery.
On this page:
Alarm policies#
The Admin > Alarm Monitor > Alarm Policies page can be used to enable/disable, inspect, or reconfigure individual alarm policies.
Hint
For detailed information about individual alarm policies, refer to this section of the documentation.
The main view lists the following details and settings for each policy:
Status |
Current state the policy is set to (green: Active, blue: Store, grey: Inactive) |
Flow Analytics Algorithm |
FA algorithm driving detections for the policy |
Category |
Type/nature of detections reported under the policy |
Violations |
Current number of active violations of the policy |
Exporters |
Number of exporters defined as inclusions for the associated FA algorithm |
Timeout |
Amount of time (in seconds) that must pass before the next observed violation is counted as a new event |
Weight |
Value used to calculate severity when violations are reported in the Alarm Monitor views |
Filters can be applied to quickly find specific policies, and the table can be exported for external use.
Modifying policy settings#
To view additional details (including message format, variables, and event/artifact criteria) about an alarm policy or make changes to its configuration, do the following:
View instructions
Open the configuration tray by clicking on the policy.
In the Information & Settings section of the tray, click the Edit (pencil) icon to modify any of the following settings:
Weight
Timeout
Status
The secondary tray also shows the message format for reporting violations and lists all message variables used. It also contains the exact criteria used for aggregating individual observations as the same event/artifact.
Hint
When one or more alarm policies are selected via the checkboxes, the Bulk Actions button can be used to apply the same configuration changes to all selected policies.
Adding custom notifications#
The Current Notifications section of the tray can be used to manage notification profiles for the selected policy.
To assign a new/additional notification profile to the alarm policy, do the following:
View instructions
Click the + button.
In the secondary tray, use the dropdown to select the notification profile to assign (or click the + button to create a new profile).
Customize notification behavior using the following settings:
Frequency
Specifies how often the actions defined in the notification profile are triggered (with any configured filters applied):- Each Observation - Actions are triggered every time observed traffic meets the conditions of the alarm policy, regardless of duration.- Rate - Actions are triggered everyNthevent with the exact same criteria.- Each Event - Actions are triggered for every event (aggregated observations based on the policy’s Timeout setting) reported under the alarm policy.Notification Filter
Allows event details (e.g., violators, devices, message contents) to be used as criteria to trigger or bypass notification actions.If no filters are specified, notification actions will be triggered for all observations and/or events under the alarm policy.Hint
Use the Alarm Monitor page to drill down into the Policy > Event > Observations view to see which details should be applied as filters for notifications.
Click Apply to assign the notification profile with the current settings.
An alarm policy can be assigned multiple notification profiles, which will be triggered based on the frequency setting and filters configured for each profile. The same notification profile can also be added multiple times using different frequency settings and filters.
Hint
In the main view, the three-dot menu for alarm policies also includes shortcuts to create, inspect, or assign notification profiles for the policy.
Flow Analytics algorithms#
The Admin > Alarm Monitor > Flow Analytics Algorithms page can be used to enable/disable, inspect, or reconfigure individual FA algorithms.
The main view consists of a graph showing total duration of observations/detections and a table listing the following details and settings for each algorithm:
Status |
Current state of the algorithm (green: Active, grey: Inactive) |
Exporters |
Number of exporters defined as inclusions for the algorithm |
Groups |
Number of security groups defined as inclusions for the algorithm |
Exclusions |
Number of exclusions (IP addresses, subnets, IP groups, etc.) defined for the algorithm |
Policies |
Number of alarm policies associated with the algorithm |
Filters can be applied to quickly find specific algorithms, and the table can be exported for external use.
Algorithm configuration#
To view or make changes to the current settings of an FA algorithm, open the configuration tray by clicking on the algorithm.
Inclusions
When defining inclusions for an algorithm, exporters can be added individually or through security groups:
Expand the Exporters or Security Groups section of the tray and click the edit (pencil) button.
In the secondary tray, use the checkboxes to select the exporters or security groups to add to the inclusion list.
Hint
Use the search box/field to quickly find specific exporters or security groups.
Close the trays to return to the main view.
Algorithm inclusion lists can be edited at any time. Exporters or security groups can also be removed by clicking the delete (trash bin) icon after expanding the corresponding section in the configuration tray.
Exclusions
To define traffic to be exempted from monitoring using a specific FA algorithm, add exclusions as follows:
Expand the Exclusions section of the configuration tray, and then click the + button.
In the secondary tray, use the dropdown to select the type of exclusion to add.
Enter the details/criteria (based on the type) for the exclusion.
Click the Apply button to save the exclusion.
Repeat the steps as necessary to add all necessary exclusions.
Exclusions can be added or removed at any time. To delete an exclusion, click the delete (trash bin) icon after expanding the Exclusions section of the configuration tray.
Hint
Assign devices with similar Flow Analytics requirements to an IP group to quickly add them to any algorithm’s exclusion list using the Child Group exclusion type. The default DNS Servers, Public WiFi, Network Scanners, and SNMP Pollers IP groups are already defined as exclusions where necessary and only need to be populated after Scrutinizer is deployed.
Algorithm settings
To modify how an algorithm is applied to collected flow data, click Settings to access additional settings for the algorithm. After making desired changes, click Apply to save the new settings or Defaults to revert to default values.
For a full list of additional settings by algorithm, see this table.
Enabling/disabling algorithms
To optimize performance and resource utilization, FA algorithms that are not applicable to the current Scrutinizer environment can be disabled.
This is done using the enable/disable toggle in the configuration tray. The Admin > Settings > System Preferences view can also be used to disable algorithms with similar applications as part of predefined feature sets.
Bulk actions
When one or more algorithms are selected using the checkboxes, the following batch configuration actions can be accessed via the Bulk Actions button:
Adding sources/inclusions (exporters and/or security groups) to all selected algorithms
Disable or enable all selected algorithms
For further details on FA algorithms and configuration recommendations, see the configuration guide for Flow Analytics.
ML Dimensions#
The Admin > Alarm Monitor > ML Dimensions page is the management view for the feature dimensions covered by the Plixer ML Engine’s network behavior models.
Note
The ML Engine is part of the Plixer One Enterprise solution. Contact Plixer Technical Support to learn more.
The page’s main view/table lists the following details for all dimensions currently defined:
Status |
Current state the dimension is set to (green: Enabled, grey: Disabled) |
Protocol |
Communication protocol |
Port |
Communication port |
Internal Only |
Option to interrogate only internal communications |
Used For |
Type of inclusion/source the dimension is applied to |
Aggregation |
Flow template field used for data aggregation |
Grouped By |
Flow template field used to group observed flow data |
Created By |
User ID of dimension creator |
Last Modified |
Date and time the definition was last modified |
Clicking on a dimension opens the details/settings tray, where the dimension can be enabled/disabled and configured to only apply to internal traffic.
Adding a new dimension
Additional feature dimensions can be defined from the ML Dimensions management view as follows:
In the main view, click the + button to open the Add Dimension tray.
Select which inclusion type the dimension should apply to (hosts/subnets or exporter interfaces).
In the secondary tray, fill in the form with the following information:
A name for the dimension
Flow template field to use for grouping (can only be changed for host dimensions)
Aggregation method/field
Communication protocol to monitor
Port to monitor
[Optional] To monitor only internal traffic for the dimension, toggle on Internal Only.
[Optional] To add the dimension in a disabled state, use the Enabled toggle.
Verify that the details and settings entered are correct and then click the Add button.
Once added, host dimensions (prefixed with CLIENT-) and exporter dimensions (prefixed with NET-) will be included in the main table/view. Settings for existing dimensions can be edited at any time by clicking on them to open the configuration tray.
Deleting dimensions
To delete feature dimensions, select one or more dimensions using the checkboxes in the list/table, and then select the Delete option in the bulk actions tray.
Alternatively, feature dimensions can instead be disabled (either individually or as a bulk action) to retain the definitions.
Dimensions can also be disabled and re-enabled from the bulk actions tray if the definitions need to be retained for future use.
Note
The Bulk Actions button is only available when one or more items are selected in the main table/view.
ML Rules#
The Admin > Alarm Monitor > ML Rules page is the management view for inclusion and exclusion rules for the Plixer ML Engine.
Inclusions and exclusions are managed in separate subtabs.
Note
The ML Engine is part of the Plixer One Enterprise solution. Contact Plixer Technical Support to learn more.
Managing inclusion rules#
The Inclusions tab has two subviews: By Host and By Exporter, which the By Host subview is displayed by default.
By Host subview
The By Host subview lists the following details for all current host/subnet inclusions:
Status |
Current state the inclusion is set to (green: Enabled, grey: Disabled) |
CIDR |
CIDR number |
# HOST(s) |
Number of hosts included in the subnet |
Sensitivity |
Sensitivity setting for the inclusion |
Detections |
Optional malware detections (green: Enabled, grey: Disabled) |
Last Modified |
Date and time the rule was last modified |
By Exporter subview
The By Exporter subview (accessible via the dropdown) lists the following details for all current exporter interface inclusions:
Status |
Current state the inclusion is set to (green: Enabled, grey: Disabled) |
Sensitivity |
Sensitivity setting for the inclusion |
Last Modified |
Date and time the rule was last modified |
Adding an inclusion rule for a host or subnet#
Additional host inclusion rules can be defined from the By Host subview as follows:
View instructions
Click the add (+) button to open the Add ML Host tray.
Enter the network address and select the appropriate netmask for the host/subnet to be added.
Select the sensitivity setting for the inclusion.
[Optional] Enable threat detection using pre-trained algorithms for the host/subnet with the Malware Detections toggle.
[Optional] To add the inclusion rule in a disabled state, use the Enabled toggle.
Click the Save button to save the rule configuration.
Once created, new host inclusion rules will be added to the list in the By Host subview under the network address specified. Settings for existing host inclusion rules can be modified at any time by clicking on the edit (pencil) icon in the details/configuration tray.
Adding an inclusion rule for an exporter Interface#
Additional exporter inclusion rules can be defined from the By Exporter subview as follows:
View instructions
Click the add (+) button to open the Add ML Exporter tray.
Select the exporter to add from the Network dropdown.
Select the sensitivity setting for the inclusion.
[Optional] To add the inclusion rule in a disabled state, use the Enabled toggle.
Click the Save button to save the rule configuration.
Once created, new exporter inclusion rules will be added to the list in the By Exporter subview under the exporter interface specified. Settings for existing exporter inclusion rules can be modified at any time by clicking on the edit (pencil) icon in the details/configuration tray.
Deleting inclusion rules#
Inclusion rules can be deleted from either subview by selecting one or more rules in the list/table, and then selecting the Delete option in the bulk actions tray. Alternatively, inclusion rules can instead be disabled (either individually or as a bulk action) to retain the definitions.
Note
The Bulk Actions button is only available when one or more items are selected in the main table/view.
Managing exclusion rules#
The Exclusions tab lists the following details for all current exclusion rules:
Source |
Source address |
Host(s) |
Hosts included in the source address |
Destination |
Destination address |
Host(s) |
Hosts included in the destination address |
Detections |
Number of detections ignored for the rule |
Last modified |
Date and time the rule was last modified |
Adding an exclusion rule
An exclusion rule can be defined from the Exclusions tab as follows:
Click the add (+) button to open the Add Exclusion tray.
Configure the source network address.
Configure the destination network address.
Under Detections, select the detections that should be ignored for the specified traffic.
Click the Save button to save the rule configuration.
Once created, new exclusion rules will be added to the list in the main view of the Exclusions tab. Settings for existing exclusion rules can be modified at any time by clicking on the edit (pencil) icon in the details/configuration tray.
Note
0.0.0.0/0 can be used as the source or the destination to exempt all incoming/outgoing traffic to/from the paired address from the selected ML detections.
Deleting exclusion rules
Exclusion rules can be deleted from the main Exclusions list/table by selecting one or more rules, and then selecting the Delete option in the bulk actions tray.
Alternatively, exclusion rules can instead be disabled (either individually or as a bulk action) to retain the definitions.
Note
The Bulk Actions button is only available when one or more items are selected in the main table/view.
Notification profiles#
The Admin > Alarm Monitor > Notification Profiles page can be used to add, edit, and manage notification profiles, which can be used to add custom notifications to alarm policies.
Once created, a notification profile can be assigned to one or more alarm policies from the Admin > Alarm Monitor > Alarm Policies page. All notification actions defined in the profile will automatically be triggered whenever the policy is violated.
Note
Notification actions are only triggered if the alarm policy it’s assigned to is set to Active or Store. The FA algorithm associated with the policy must also be enabled.
Creating a notification profile#
To create a new notification profile, click the + button, enter a name (can be changed later) for it in the provided field, and click the Save button.
Hint
The notification profile management page can also be accessed directly from the tray when configuring notifications for an alarm policy.
Once saved, the profile will be added to the main view list and can be further configured.
Adding notification actions to a profile
To add notification actions to an existing profile, follow these steps:
Click the name of a notification profile to open the configuration tray.
Expand the Actions section of the tray and click the + button.
Use the dropdown to select the type of action to add.
Enter the additional details (based on the action type) in the provided fields.
Hint
Use the listed variables to include additional details in notification messages or as arguments in custom scripts.
Use the Test button to verify that the action functions as intended.
Click the Add button to save the action to the notification profile.
To define additional actions in the same profile, repeat the steps as needed. Each notification profile can be configured with any number of actions in any combination.
Hint
To add notifications for custom report thresholds, set up a notification profile and assign it to the Report Threshold Violation alarm policy via the Admin > Alarm Monitor > Alarm Policies page.
Bulk actions
When one or more profiles are selected using the checkboxes in the main view, an action can be added to all selected profiles via the Bulk Actions button.
Notification profiles can also be deleted this way.
Notification actions#
Each notification profile can be configured with any number of notification actions, all of which will be triggered when the associated alarm policy is violated.
Hint
Notification profiles can include multiple configurations of the same notification action type.
The email notification action can be used to automatically send email alerts when events are reported under the associated alarm policy.
Important
To configure email notifications and email reports, an email server must first be set up under Admin > Integrations > Email Server.
To add an email notification to a notification profile, follow these steps:
Click the notification profile to open the configuration tray.
Under Actions, click the + button.
In the secondary tray, select Email from the action type dropdown.
Enter one or more recipient email addresses (comma-separated) in the To field.
Enter a subject to use in the emails in the Subject field.
[Optional] Enter a custom email notification message in the Message field.
Hint
The default
%mvariable in message field passes the raw event message generated by the alarm policy triggering the notification. This can be replaced with a custom message using any of the variables supported by the policy.Click the Add button to save the action configuration to the profile.
Once added, the email notification will be triggered following the alarm policy’s settings for the notification profile.
Note
All emails sent by Scrutinizer, such as alarm notifications and scheduled email reports, will be shown as coming from the address configured in Admin > Settings > Email Server.
Logfile
The logfile notification action saves event details to a specified logfile, which can be used for external tracking, investigation, and archival.
Note
Logfiles are saved to home/plixer/scrutinizer/files/logs.
To add a logfile action to a notification profile, follow these steps:
Click the notification profile to open the configuration tray.
Under Actions, click the + button.
In the secondary tray, select Logfile from the action type dropdown.
In the File Name field, enter the name of the file to save the logs to.
Important
Do not include the path when entering the logfile name.
[Optional] Enter a custom log message in the Message field.
Hint
The default
%mvariable in message field passes the raw event message generated by the alarm policy triggering the notification. This can be replaced with a custom message using any of the variables supported by the policy.Click the Add button to save the action configuration to the profile.
Once added, the logfile notification will be triggered following the alarm policy’s settings for the notification profile.
Syslog
The syslog notification action can be used to send syslog messages containing event details to a specified logging server.
To add a syslog notification to a notification profile, follow these steps:
Click the notification profile to open the configuration tray.
Under Actions, click the + button.
In the secondary tray, select Syslog from the action type dropdown.
Enter the IP address or hostname of the destination logging server in the Host field.
Enter the UDP port to use on the destination logging server in the UDP Port field.
Use the dropdowns to select the severity level and type/facility code to assign to the syslog message.
[Optional] Enter a custom log message in the Message field.
Hint
The default
%mvariable in the message field passes the raw event message generated by the alarm policy triggering the notification. This can be replaced with a custom message using any of the variables supported by the policy.Click the Add button to save the action configuration to the profile.
Once added, the syslog notification be triggered following the alarm policy’s settings for the notification profile.
Syslog priority levels
Scrutinizer uses the following keyword mappings to assign a priority level to a syslog notification message:
Keyword |
Priority Level |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Types/facility codes
Scrutinizer supports the following keyword mappings for assigning facility codes to a syslog notification messages:
Keyword |
Facility Code |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SNMP trap
The SNMP trap notification action can be used to automatically create SNMP traps to send event details to a specified SNMP manager.
To add an SNMP trap action to a notification profile, follow these steps:
Click the notification profile to open the configuration tray.
Under Actions, click the + button.
In the secondary tray, select SnmpTrap from the action type dropdown.
Using the provided fields, enter the following details for the trap:
The IP address or hostname of the destination Host
The UDP Port to use on the destination host (default: 162)
The Community String to use for authentication on the destination host
[Optional] Enter a custom message in the Message field.
Hint
The default variables in the message field will pass the basic event details, as well as the raw event message generated by the alarm policy. This can be replaced with a custom message as long as the variables used are supported by the policy.
Click the Add button to save the action configuration to the profile.
Once added, the SNMP trap action will be triggered following the alarm policy’s settings for the notification profile.
Script
Script notifications allow for more advanced alerts through the use of custom scripts. They can be used to run virtually any scriptable action(s) when the notification profile is triggered by the associated policy.
Hint
Additional configuration steps are required to set up script notifications, but they allow for the most flexibility and sophistication among the different notification action types.
To add a script action to a notification profile, follow these steps:
Click the notification profile to open the configuration tray.
Under Actions, click the + button.
In the secondary tray, select Script from the action type dropdown.
Enter the name of the script file to run in the Script field.
[Optional] Enter any variables or strings to use as arguments in the Command Line Arguments field.
Hint
The default
%mvariable in the arguments field passes the raw event message generated by the alarm policy triggering the notification. This can be replaced any other strings or variables supported by the policy.Click the Add button to save the action configuration to the profile.
Once added, the script action will be triggered following the alarm policy’s settings for the notification profile.
Additional notes
Only script files saved to
/home/plixer/scrutinizer/filescan be run as notification actions.When adding variables and strings to the arguments field, use quotation marks (
"") to enclose terms that should be passed as a single argument.Script files must be assigned the appropriate permissions to be run.
Note
When setting a script notification action, using the Test button runs the script as the
webappuser. When the notification profile is triggered by an alarm policy, Scrutinizer will run the script as theplixeruser.
Auto-acknowledge
The auto-acknowledge notification action can be used to automatically acknowledge events for any specified alarm policy (including the policy triggering the action).
To add an auto-acknowledge action to a notification profile, follow these steps:
Click the notification profile to open the configuration tray.
Under Actions, click the + button.
In the secondary tray, select Auto Acknowledge from the action type dropdown.
Select the policy to automatically acknowledge from the second dropdown.
Click the Add button to save the action configuration to the profile.
Once added, the auto-acknowledge action will be triggered following the alarm policy’s settings for the notification profile.
ServiceNow - Ticket
The ServiceNow notification action can be used to automatically create tickets for a specified ServiceNow instance when the notification profile is triggered.
Important
Before configuring ServiceNow notification actions, set up at least one ServiceNow instance via Admin > Integrations > ServiceNow. For further details, see the section on ServiceNow integration.
To add a ServiceNow notification to a notification profile, follow these steps:
Click the notification profile to open the configuration tray.
Under Actions, click the + button.
In the secondary tray, select ServiceNow from the action type dropdown.
Use the dropdown to select the ServiceNow instance to create the ticket for.
Under Short Description, enter a message to use in the ticket’s
Short Descriptionfield.Under Description, enter a message to use in the ticket’s
Descriptionfield.Note
Any variables included in either description field will pass their values when the corresponding fields in the ticket are populated. The raw event message generated by policy triggering the notification can also still be sent using
%mvariable.Use the dropdowns to select urgency and impact levels for the ticket.
[Optional] Use the API JSON field to send alternate/additional details in the API call by either re-defining any of the default keys used or defining additional keys to include.
Hint
When keys matching the defaults sent with API calls are defined in the API JSON field, the new values will overwrite the defaults. Any new keys defined will be appended to the API call.
Click the Add button to save the action configuration to the profile.
Once added, the ServiceNow notification will be triggered following the alarm policy’s settings for the notification profile.
Important
To be able to fully populate all corresponding fields in the ServiceNow ticket, the user configured for the selected instance must be provisioned with the sn_incident_write permission.
Sample JSON key definition
Key definitions in the API JSON field should follow the following format:
{
"extra_data":"my data: %m"
}
CEF
The CEF notification action uses CEF (Common Event Format) syslog messages to forward alarm/event details to external applications.
To add a CEF notification to a notification profile, follow these steps:
Click the notification profile to open the configuration tray.
Under Actions, click the + button.
In the secondary tray, select CEF from the action type dropdown.
Enter the IP address or hostname of the host to send the CEF syslog message to.
Enter the port UDP port to use on the destination host.
Click the Add button to save the action configuration to the profile.
Once added, the CEF notification will be triggered following the alarm policy’s settings for the notification profile.
CEF message mapping
Based on the standard CEF message format,
(CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension)
Scrutinizer uses the following mapping for the first seven (prefix) keys:
Prefix keys
The first seven keys of the CEF message will use the following standard mappings across all alarm policies:
Key |
Value |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Extension keys
Because the CEF message is automatically generated using the event message of the alarm policy violated, the extension keys included will vary based on what details/fields are reported under the policy.
The following table lists all mappings that may be used for event details in the CEF message:
CEF Key |
Event Key |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note
By default, Scrutinizer maps the dst and src CEF keys to the target and violator event keys exclusive to Scrutinizer’s Report Threshold Violation alarm policy. These are not same general targets and violators keys that are common to all events. This is to support a specific use case for report thresholds.
Sample CEF message sent by Scrutinizer:
CEF:1|Plixer|Scrutinizer|${SCRUTINIZER_VERSION}|${EVENT_POLICY_LANGKEY}|${EVENT_POLICY_NAME}|${EVENT_SEVERITY_AS_INTEGER}|dvc=${EVENT_DEVICES} start=${EVENT_FIRST_TS} end=${EVENT_LAST_TS} cnt=${EVENT_HITS}
To learn more about the customization of Scrutinizer CEF key mappings, contact Plixer Technical Support.
Variables in notifications#
When defining a notification action, the message sent can be customized to include additional event details passed through variables.
Note
The default %m variable used in notification messages will pass the event message generated by the alarm policy triggering the notification. Message formats by policy can be viewed via the policy management page.
The following table lists the variables available for use in notification messages or custom scripts:
|
Event message generated by the alarm policy triggering the notification |
|
Alarm policy violated to trigger the notification |
|
IP address(es) of violating host(s) reported in the event |
|
URL to the relevant saved report (only available for the Report Threshold Violation alarm policy) |
|
IP address of the host (i.e., Scrutinizer server/reporter) sending the notification |
|
Resolved hostnames of violator addresses |
|
The log identifier for the event that triggered the notification |
|
Resolved hostname of the address sending the notification |
|
Username(s) associated with violating host(s) |
|
Timestamp of the event/violation that triggered the notification |
|
Protocol used in the violation, if applicable |
|
IP addresses of the host(s) targeted in the violation, if applicable |
|
MITRE ATT&CK framework ID of the tactic under which the violation is classified |
|
MITRE ATT&CK tactic under which the violation is classified |
|
Username(s) associated with targeted host(s) |
|
MITRE ATT&CK framework ID of the technique associated with the violation |
|
MITRE ATT&CK technique associated with the violation |
|
Alarm policy category of the violated policy |
Security groups#
The Admin > Alarm Monitor > Security Groups page can be used to create, edit, and manage security groups, which allow similar devices to be quickly added to FA algorithm inclusion lists.
Once an FA algorithm is added to a security group, it is enabled for all exporters assigned to that group. Changes to group membership are also automatically applied to the inclusion lists of associated algorithms.
Hint
The default Firewalls, Core Exporters, Edge Exporters, and Defender Probes security groups are predefined as inclusions for the recommended FA algorithms and need only be populated with the specified device type.
New security groups can be added by clicking the + button in the main view. Membership and enabled algorithms for existing groups can be edited at any time.
Adding exporters to a security group#
To add exporters to an existing security group, follow these steps:
View instructions
Click the security group to open the configuration tray.
Expand the Active Exporters of the tray and click the Add button.
Hint
To remove an exporter from the group, click the Delete icon in the list.
In the secondary tray, use the checkboxes to select the exporters to add.
Click the Add button to assign all selected exporters to the group.
Any algorithms enabled for the security group will automatically be enabled for the new exporters added.
Hint
To add exporters to multiple security groups, select the groups in the main view and click the Bulk Actions button.
Enabling algorithms for a security group#
To enable FA algorithms for an existing security group, follow these steps:
View instructions
Click the security group to open the configuration tray.
Expand the Algorithms of the tray and click the Add button.
Hint
To disable an algorithm for the group, click the Delete icon in the list.
In the secondary tray, use the checkboxes to select the algorithms to enable.
Click the Add button to enable all selected algorithms for the group.
New algorithms added will automatically be enabled for all exporters in the security group.
Hint
To enable algorithms for multiple security groups, select the groups in the main view and click the Bulk Actions button.