Policies

The Monitor > Policies tab lists all Alarm Policies with observations during the specified date/time range. It is the default view of the Plixer Scrutinizer Alarm Monitor.

Hint

Because the date/time range setting uses observation timestamps as its filter, the list will include Alarm Policies with Events that started within the selected time frame, even if the most recent observation was outside of it. To learn more about Alarms, Events, and observations, see this topic under the Alarms and Events configuration guide.

By default, the Policies tab displays the Event Cards visualization, which can be used to filter the list by Event Severity, in addition to the list of Alarm Policies.

The following visualizations/shortcuts are also available via the View dropdown:

  • Event Cards

  • Policy Cards

  • Host Cards

  • Event Timeline

  • Policy Timeline

  • Host Timeline

  • Policy Connections

  • Tactic Connections

  • Category Connections

  • Event Connections

Alarm Policy list

The main table of the Policies tab also includes the following details for each Alarm Policy:

  • Distribution of individual Events under the Policy based on Severity

  • Total number of violators that have triggered Events under the Policy

  • Total number of targets in Events under to the Policy

  • Timestamps of the original and most recent Events linked to the Policy

  • Policy category

Hint

Additional details/columns can be toggled on for each Alarm Policy via the Available Columns button.

Additional actions/options

  • The table/list can be sorted using any of the displayed details by clicking on the corresponding column header.

  • Acknowledge one or more Alarms by ticking their checkoxes and clicking Acknowledge Selected Events

  • Click the shortcut next to an Alarm Policy’s Violators or Targets to open a tray listing all hosts that have been violators or targets under the Policy.

  • Add an Alarm (and all Events under it) to the current active Collection by clicking the star button and selecting Add to Collection.

Hint

To set a different Collection as active or create a new Collection, select Manage Collections.

  • To change an Alarm Policy’s settings, open the three-dot menu and select Edit Settings.

Alarm Summary

Clicking an Alarm Policy in the main table opens a summary page that consists of a graph or chart and a list of Events/artifacts in table format.

The following visualizations can be selected from the dropdown:

  • Events Scatter Plot - Shows a visual distribution of the Events and Observations.

  • Events Timeline (default) - Shows the original and most recent Event timestamps, as well as the number of times the Event was triggered within the given period

  • Entities - Shows a summary of the Top Violators, Top IP Groups, and Top Targets

Event List

Each Artifact in the Event List links to a summary tray containing all relevant information for the Event (severity, hosts, etc.).

Note

For additional information on Severity, see the Alarm Policy settings section.

Hovering over the graph icon in the Events List table displays the following options:

  • Explore Event Traffic - Generates a host-to-host Report for the selected Artifact

  • Export Targets - Exports the Artifact’s list of target hosts as a CSV file

  • Export Violators - Exports the Artifact’s list of violating hosts as a CSV file

Note

Depending on the Alarm Policy, certain options may be absent from the three-dot menu. Explore Event Traffic (Host to Host Report) requires the flow data that triggered the Event to be available. Export Targets and Export Violators require the corresponding host type to be part of the Policy’s criteria.