As messages come in, they are processed against the list of policies in the Policy Manager. If the message violates a policy, it can be saved to the history table and may also end up being posted to a Bulletin Board. The Bulletin Boards are used to organize alarms into categories. Each policy is associated with a Bulletin Board view. There are 4 primary menus in the Alarms tab:
- Views Menu: Provides options to view some of the more popular reports available in the Alarms tab. Learn More
- Configuration Menu: Provides access to the utilities responsibile for most of the functionality in the Alarms tab. Learn More
- Reports Menu: Run reports to determine how well the algorithms are performing over time and how frequently the policies are being triggered. Learn More
- Gear Menu: Configure global settings for the Alarms tab. Learn More
A Heat Map is a graphical representation of the corresponding Bulletin Board table. Objects appearing in the Heat Map high and to the right are the hosts or policies that often need immediate attention. This is because those objects have the most violators and the most violations combined. For more detailed information on Bulletin Boards and Heat Maps, go to Alarms Views.
The Threat Index (TI) is a single value comprised of events with different weights that age out over time. Because any one event could be a false positive, the TI gives the administrator the option of letting the summation events possibly trigger a notification when a configurable threshold is breached.
For example, if a device on the local network reaches out to the Internet to a host with a reputation of being part of a botnet, does that mean it is somehow infected? It could, but probably not. What if the same local PC also receives a few ICMP redirects from the router supporting the subnet. Now can it be discerned that there is an infection that needs to be addressed? Again, probably not, but suspicions are rising. More information can be found on the Threat Index page.
Alarming on Interface Percent Violation¶
This is a global setting used to trigger events for excessive traffic on any individual interface from the devices sending flows to the collector. To set this alarm, perform the following steps:
- Go to Admin >> Settings >> Alarm Notifications. From here, check “Threshold Violations”.
- Go to Admin >> Settings >> System Preferences. Make sure a “Threshold - Utilization” percent has been entered. The default is ‘90’ percent.
If both the “Threshold Violations” and the “Threshold - Utilization” options are set, then alarms will be sent to the Alarms tab once a violation occurs. The alarm violations can be seen in the alarms tab under the Policy: “Scrutinizer: Interface Exceeded Threshold”. From there, the user can assign any notification desired to the Policy.