Alarm policies¶
The Admin > Alarm Monitor > Alarm Policies page can be used to enable/disable, inspect, or reconfigure individual alarm policies.
Hint
For detailed information about individual alarm policies, refer to this section of the documentation.
The main view lists the following details and settings for each policy:
Status |
Current state the policy is set to (green: Active, blue: Store, grey: Inactive) |
Flow Analytics Algorithm |
FA algorithm driving detections for the policy |
Category |
Type/nature of detections reported under the policy |
Violations |
Current number of active violations of the policy |
Exporters |
Number of exporters defined as inclusions for the associated FA algorithm |
Timeout |
Amount of time (in seconds) that must pass before the next observed violation is counted as a new event |
Weight |
Value used to calculate severity when violations are reported in the Alarm Monitor views |
Filters can be applied to quickly find specific policies, and the table can be exported for external use.
Modifying policy settings¶
To view additional details (including message format, variables, and event/artifact criteria) about an alarm policy or make changes to its configuration, open the configuration tray by clicking on the policy.
In the Information & Settings section of the tray, click the Edit (pencil) icon to modify any of the following settings:
Weight
Timeout
Status
The secondary tray also shows the message format for reporting violations and lists all message variables used. It also contains the exact criteria used for aggregating individual observations as the same event/artifact.
Hint
When one or more alarm policies are selected via the checkboxes, the Bulk Actions button can be used to apply the same configuration changes to all selected policies.
Adding custom notifications¶
The Current Notifications section of the tray can be used to manage notification profiles for the selected policy.
To assign a new/additional notification profile to the alarm policy:
Click the + button.
In the secondary tray, use the dropdown to select the notification profile to assign (or click the + button to create a new profile).
Customize notification behavior using the following settings:
Frequency
Specifies how often the actions defined in the notification profile are triggered (with any configured filters applied):Each Observation - Actions are triggered every time observed traffic meets the conditions of the alarm policy, regardless of duration.Rate - Actions are triggered everyNth
event with the exact same criteria.Each Event - Actions are triggered for every event (aggregated observations based on the policy’s Timeout setting) reported under the alarm policy.Notification Filter
Allows event details (e.g., violators, devices, message contents) to be used as criteria to trigger or bypass notification actions.If no filters are specified, notification actions will be triggered for all observations and/or events under the alarm policy.Hint
Use the Alarm Monitor page to drill down into the Policy > Event > Observations view to see which details should be applied as filters for notifications.
Click Apply to assign the notification profile with the current settings.
An alarm policy can be assigned multiple notification profiles, which will be triggered based on the frequency setting and filters configured for each profile. The same notification profile can also be added multiple times using different frequency settings and filters.
Hint
In the main view, the three-dot menu for alarm policies also includes shortcuts to create, inspect, or assign notification profiles for the policy.