Alarms and events#
Scrutinizer uses various technologies to recognize patterns in system activity and network traffic that may be of interest to NetOps and SecOps teams. These patterns are then reported as events via the Alarm Monitor views.
Combined, the Alarm Monitor interface and Scrutinizer’s library of alarm policies allow for a highly configurable and comprehensive reporting interface that offers deep observability into an organization’s network.
On this page:
Alarm life cycle#
Scrutinizer automatically manages alarm and event data based on the following life cycle:
Scrutinizer continuously monitors its environment for observations of system activity or network traffic that match preconfigured criteria.
Observations are aggregated and reported/managed as an event based on the alarm policy associated with the identified criteria.
The details of the event are reviewed under the corresponding alarm policy via the Alarm Monitor interface.
After investigation and/or resolution, the event is flagged as acknowledged by a user to clear it from all Alarm Monitor views.
Event data remains accessible for further review following the configured retention settings.
Global retention settings#
The following global settings in the Admin > Settings > Data History tray can be used to change how the alarm and event data are managed:
Setting |
Description |
|---|---|
Alarm Retention Days |
Sets the maximum number of days alarm and event data is retained before being deleted from the system |
Alarm Retention Size |
Sets the maximum amount of disk space that can be used for alarm and event data storage |
Auto-Acknowledge Alarms |
Sets the number of days before events are automatically tagged as Acknowledged |
Note
The alarm retention settings control automatic data deletion for both acknowledged and un-acknowledged events.
Alarm Policy settings#
Individual alarm policy settings allow granular customization of what, when, and how alarms/events are reported.
The following settings can be accessed from the Admin > Alarm Monitor > Alarm Policies view:
- Status
Sets the policy to one of three states:
Setting
Generates Events
Alarm Monitor
Stored in Database
Notifications by Profile(s)
Active
Yes
Yes
Yes
Yes
Store
Yes
No
Yes
Yes
Inactive
No
No
No
No
Hint
Setting nonessential policies to Store or Inactive can filter out events that do not require visibility. This can reduce the number of alarms being reported (and stored) in the Alarm Monitor views.
- Weight
Assigns each event/violation under a policy a numerical weight for calculating the severity reported in the Alarm Monitor views
- Event timeout
Sets the number of seconds the system will wait when aggregating observations meeting the same criteria as a single event
Refer to this section of the documentation for further information on individual alarm policies, including default timeout settings.
Alarm notifications#
Alarms/events in Scrutinizer can also be configured to trigger one or more notification actions when they are generated/observed.
Notification Profiles#
Notification actions are assigned to individual alarm policies by way of notification profiles, each of which can be configured with one or more actions.
Note
Notification profiles can be used in conjunction with the Store alarm policy status to acknowledge, forward, and/or store the details of an event without them being reported in the Alarm Monitor views. An alarm policy can only be assigned one notification profile at a time.
Flow Analytics#
Scrutinizer uses a collection of Flow Analytics (FA) algorithms to monitor collected flow data for specific traffic patterns and/or behavior typically associated with threats to a network.
Because FA algorithms rely on associated alarm policies for reporting, the initial configuration and regular tuning of FA-based functions are integral to optimizing alarms and events.
For additional information, see the Flow Analytics configuration guide.
Optimizing alarms#
When correctly configured, the Scrutinizer Alarm Monitor is capable of reporting information that is accurate, relevant, and uniquely tailored to the organization or team using it.
To achieve this, the following configuration steps related to alarms and events should be completed as part of deploying Scrutinizer.
Navigate to the Admin > Settings > Data History tray and adjust the Alarm Retention Days, Alarm Retention Size, and Auto-Acknowledge Alarms values as needed.
In the Admin > Settings > Alarm Notifications tray, verify that the alarm notifications options are correctly configured.
Go to the Admin > Alarm Monitor > Notification Profiles page and create notification profiles to enable additional notification channels.
Go to the Admin > Alarm Monitor > Alarm Policies page and:
Set the status of any alarm policies that are unnecessary or irrelevant to the environment to Inactive (must be done as a bulk action after selecting at least one policy).
Set the status of alarm policies whose events should be monitored but not reported in the Alarm Monitor views to Store (must be done as bulk action after selecting at least one policy).
Assign the appropriate notification profiles to any alarm policies that require them.
Note
The Timeout and Weight values of an alarm policy can be adjusted at a later time, after evaluating reporting behavior for events under it.
Follow the Flow Analytics configuration guide to correctly set up FA-based functions and features.
Follow the Plixer ML Engine configuration guide to correctly set up machine-learning-based functions and features.
After the initial setup has been completed, it is highly recommended to continue to evaluate alarm and event reporting behavior and make further adjustments to the various elements’ configurations as necessary.