Alarm policies

The Admin > Alarm Monitor > Alarm Policies page can be used to enable/disable, inspect, or reconfigure individual alarm policies.

Hint

For detailed information about individual alarm policies, refer to this section of the documentation.

The main view lists the following details and settings for each policy:

Status

Current state the policy is set to (green: Active, blue: Store, grey: Inactive)

Flow Analytics Algorithm

FA algorithm driving detections for the policy

Category

Type/nature of detections reported under the policy

Violations

Current number of active violations of the policy

Exporters

Number of exporters defined as inclusions for the associated FA algorithm

Timeout

Amount of time (in seconds) that must pass before the next observed violation is counted as a new event

Weight

Value used to calculate severity when violations are reported in the Alarm Monitor views

Filters can be applied to quickly find specific policies, and the table can be exported for external use.

Modifying policy settings

To view additional details (including message format, variables, and event/artifact criteria) about an alarm policy or make changes to its configuration, open the configuration tray by clicking on the policy.

In the Information & Settings section of the tray, click the Edit (pencil) icon to modify any of the following settings:

  • Weight

  • Timeout

  • Status

The secondary tray also shows the message format for reporting violations and lists all message variables used. It also contains the exact criteria used for aggregating individual observations as the same event/artifact.

Hint

When one or more alarm policies are selected via the checkboxes, the Bulk Actions button can be used to apply the same configuration changes to all selected policies.

Adding custom notifications

The Current Notifications section of the tray can be used to manage notification profiles for the selected policy.

To assign a new/additional notification profile to the alarm policy:

  1. Click the + button.

  2. In the secondary tray, use the dropdown to select the notification profile to assign (or click the + button to create a new profile).

  3. Customize notification behavior using the following settings:

    Frequency

    Specifies how often the actions defined in the notification profile are triggered (with any configured filters applied):
    Each Observation - Actions are triggered every time observed traffic meets the conditions of the alarm policy, regardless of duration.
    Rate - Actions are triggered every Nth event with the exact same criteria.
    Each Event - Actions are triggered for every event (aggregated observations based on the policy’s Timeout setting) reported under the alarm policy.

    Notification Filter

    Allows event details (e.g., violators, devices, message contents) to be used as criteria to trigger or bypass notification actions.
    If no filters are specified, notification actions will be triggered for all observations and/or events under the alarm policy.

    Hint

    Use the Alarm Monitor page to drill down into the Policy > Event > Observations view to see which details should be applied as filters for notifications.

  4. Click Apply to assign the notification profile with the current settings.

An alarm policy can be assigned multiple notification profiles, which will be triggered based on the frequency setting and filters configured for each profile. The same notification profile can also be added multiple times using different frequency settings and filters.

Hint

In the main view, the three-dot menu for alarm policies also includes shortcuts to create, inspect, or assign notification profiles for the policy.