Policies

The Monitor > Policies tab/view is the default Alarm Monitor view and can be used to investigate alarms within the specified time period based on the alarm policy violated.

The overview table can be set to include any of the following columns via the Available Columns button:

  • Severity: Distribution of individual events under the policy based on severity

  • Risk: Aggregated risk level

  • Events: Total number of violating events under the policy

  • Violators: Total number of hosts observed as violators under the policy

  • Targets: Total number of hosts observed as targets under the policy

  • First Observed: Timestamp of the first violating event within the specified time period

  • Last Observed: Timestamp of the most recent violating event within the specified time period

  • Category: Policy category

  • Technology: Plixer One component where the alarm originated

The host counts in the Violators and Targets columns also function as shortcuts to pivot to the Hosts view with a filter for the policy applied.

Note

  • Risk information requires Plixer Endpoint Analytics integration to be enabled. To learn more about Plixer Endpoint Analytics integration in Plixer Scrutinizer, see this section of this documentation.

  • For a full list of alarm policy categories and violation descriptions, see this table.

Editing policy settings

To edit the settings of the policy for an active alarm, select Edit Policy from the three-dot menu in the list/table.

This will open the settings tray in the alarm policy management view, where the policy’s weight, timeout, and state can be modified. Notification profiles can also be created and assigned to the policy from this tray.

Inspecting hosts

Clicking the ➝] icon in the Violators or Targets column of the table opens a tray listing violating and targeted hosts involved in the alarm. This tray can be used to select one or more hosts to apply as filters or view alarm details for any of the hosts involved.

Alternatively, clicking on the host count in the Violators or Targets column opens the Alarm Monitor Hosts tab with a filter for the policy applied.

The tray also includes toggles to hide/show system policy violations and acknowledged events in the active alarm list.

Managing exclusions

To add or remove exclusions for an active alarm policy, select Manage Exclusions from the three-dot menu in the list/table.

For Scrutinizer alarm policies (indicated in the Technology column), this will open the FA algorithm management view, from where exclusions can be added to or removed from the algorithm driving the policy. For Plixer Machine Learning policies, the option will open the ML rules management view instead.

Individual hosts can also be added to FA algorithm or ML detection exclusion lists by opening the violators/targets tray and clicking the icon for one or more hosts.

Alarm summary

Clicking on a policy in the main list opens the summary/details view for the alarm, which includes a chart/timeline summarizing observation details and a list of artifacts for separate events/violations under the same policy.

The following visualizations can be selected from the View dropdown:

  • Events Scatter Plot - Shows distribution of the events and observations

  • Events Timeline (default) - Shows the individual events and their durations in a timeline for the specified time period

  • Entities - Shows observation distribution among top violators, IP groups, and targets

Note

Plixer Scrutinizer aggregates continuous or consecutive observations within the policy’s Timeout setting as a single event. See this page on the alarm/event life cycle for further details.

Event list

The event list of the alarm summary view can be used to drill into the artifacts for discrete events/violations within the specified time period. The summary table lists total number of observations aggregated as well as the basic details (severity, hosts, etc.) for each event.

Hint

Mouse over the graph icon in the event list for additional shortcuts/options (varies by policy).

Click on an artifact to open a tray containing the full details for the event:

  • Severity

  • Start/end timestamps

  • Most recent event message generated

  • All hosts observed as targets

  • All hosts observed as violators

  • All events with matching violating criteria

In the tray, clicking on the link icon for target or violator opens the host details view, where the details for all alarms associated with the host can be investigated. Details for other events with the same violating criteria (based on the alarm policy) can also be viewed in a secondary tray by clicking the view (eye) icon.

Auto-Investigate policy

The Auto-Investigate alarm policy reports sequential incident/event chains wherein each targeted host becomes the next violator in the sequence. Each chain includes all discrete events starting from the initial incident and ends when the target cannot be confirmed as the next violator.

When an Auto-Investigate alarm is active, its summary view will list all incident chains (aggregated by the initial violating host) instead of individual events.

Investigation details

Clicking the microscope icon in the list/table opens the investigation subview for the selected initial violator, which can be used to inspect the following information for all incident chains linking back to it:

  • All incident chains with the same initial violator, including violators, targets, and exact timelines

  • Visualized links between violators, policies, and targets

  • Event distribution over time

  • Event, target, and violator counts for all policies violated

  • Number of policy violations, linked event violator counts (including itself), and roles for all hosts

The policy and host lists also link back to their respective Alarm Monitor views for further investigation and cross-referencing.