Policies¶
The Monitor > Policies tab lists all Alarm Policies with observations during the specified date/time range. It is the default view of the Plixer Scrutinizer Alarm Monitor.
Hint
Because the date/time range setting uses observation timestamps as its filter, the list will include Alarm Policies with Events that started within the selected time frame, even if the most recent observation was outside of it. To learn more about Alarms, Events, and observations, see this topic under the Alarms and Events configuration guide.
By default, the Policies tab displays the Event Cards visualization, which can be used to filter the list by Event Severity, in addition to the list of Alarm Policies.
The following visualizations/shortcuts are also available via the View dropdown:
Event Cards
Policy Cards
Host Cards
Event Timeline
Policy Timeline
Host Timeline
Policy Connections
Tactic Connections
Category Connections
Event Connections
Alarm Policy list
The main table of the Policies tab also includes the following details for each Alarm Policy:
Distribution of individual Events reported under the Policy, based on Severity
Total number of violators that have triggered Events under the Policy
Total number of targets in Events reported under the Policy
Timestamps of the original and most recent Events linked to the Policy
Policy category
Hint
Additional details/columns can be toggled on for each Alarm Policy via the Available Columns button.
Additional actions/options
The table/list can be sorted using any of the displayed details by clicking on the corresponding column header.
Acknowledge one or more Alarms by ticking their checkboxes and clicking Acknowledge Selected Events
Click the shortcut next to an Alarm Policy’s Violators or Targets to open a tray listing all hosts that have been violators or targets under the Policy.
Add an Alarm (and all Events under it) to the current active Collection by clicking the star button and selecting Add to Collection.
Hint
To set a different Collection as active or create a new Collection, select Manage Collections.
To change an Alarm Policy’s settings, open the three-dot menu and select Edit Settings.
Alarm Summary¶
Clicking an Alarm Policy in the main table opens a summary page that consists of a graph or chart and a list of Events/artifacts in table format.
The following visualizations can be selected from the dropdown:
Events Scatter Plot - Shows a visual distribution of the Events and Observations.
Events Timeline (default) - Shows the original and most recent Event timestamps, as well as the number of times the Event was triggered within the given period
Entities - Shows a summary of the Top Violators, Top IP Groups, and Top Targets
Event List¶
Each Artifact in the Event List links to a summary tray containing all relevant information for the Event (severity, hosts, etc.).
Note
For additional information on Severity, see the Alarm Policy settings section.
Hovering over the graph icon in the Events List table displays the following options:
Explore Event Traffic - Generates a host-to-host Report for the selected Artifact
Export Targets - Exports the Artifact’s list of target hosts as a CSV file
Export Violators - Exports the Artifact’s list of violating hosts as a CSV file
Note
Depending on the Alarm Policy, certain options may be absent from the three-dot menu. Explore Event Traffic (Host to Host Report) requires the flow data that triggered the Event to be available. Export Targets and Export Violators require the corresponding host type to be part of the Policy’s criteria.