Forensics: 5. Threshold Alert
Posted: Thu Jul 26, 2012 6:32 am
A traffic analysis in Forensics can be saved as a Threshold Alert.
Click on the top toolbar "Save" button in "Forensics" or "Custom Forensics" screen to save the customized "Forensics" traffic analysis as a Threshold Alert.
The measurement "Threshold Alert Criteria" must be defined for the Threshold Alert to function.
Command Buttons
Name of the Threshold Alert.
Description
Additional information for the Threshold Alert.
Report Type
Choose "Threshold Alert" to save as a fixed measurement Threshold Alert.
Other available options allow you to save this report as a Template, a Scheduled Report, a Threshold Alert or an Intelligent Baseline Anomaly Detection Alert.
Category
The category is fixed as "Threshold Alert".
Add Link
Enabling the "Add Link" option will add an icon to the generated Threshold Alert. The icon provides a click back link to the "Forensics" screen from the generated Threshold Alert.
In order for the click back to function correctly the server must be correctly configured in the "Site Configuration" screen under "Administrator" in the "Configuration" panel.
Data Period
Data Period is set to Schedule Frequency - Alert is checked each interval.
Definition
The following options in "Custom Forensics" and "Forensics" Filter tab can be overwritten here.
Defines the alert checking start time point.
Schedule To
Defines the alert end time point.
Available if "Run Indefinitely" is un-ticked.
Run Indefinitely
The alert will be active indefinitely if it is ticked on.
Wait for Delayed
When the alert includes multiple devices/exporters (routers or switches), the Threshold Alert will be delayed to run until all active device data has reached the scheduled time points. This is to ensure that alerts maintain integrity when dependent on multiple inputs.
Priority
Defines the priority of the alert.
Alert Category
Defines a category for the alert.
The alert category can be added in "Alert Category" screen, which can be entered by clicking the left menu "Category" under the Alert Administration in the "My Analytics" panel.
on No Data
Send an alert when there is no data for the defined traffic by "Forensics" if it is ticked on.
Alerting Level
Send an alert only when the defined thresholds are breached.
Alerts only when the threshold is breached N times within the defined M minutes period.
This option helps to reduce False Positives which can arise in threshold alerting.
CySight provides a Network Behavior Anomaly Detection module called Intelligent Baseline Anomaly Detection that learns the expected thresholds for a monitored data item and alerts only when the breach occurs for the learnt threshold for the time of day and day of week substantially reducing False Positives.
Delivery
The Threshold Alert can be sent to one or more email addresses. The SMTP server and its service port, sender address and subject must be configured properly to allow send schedule report.
The Threshold Alert can be sent to an SNMP trap server.
The SNMP trap server and its relative information must be correctly configured in the "Site Configuration" screen.
The SNMP Trap codes are defined in the "SNMP Trap Code" screen.
The Threshold Alert can be specified to save to a directory in the Report Repository with each scheduled time stamp as the report name affix or copied to a specified report name in the report repository for viewing or to enable other applications to refer to the automatically refreshed file.
Delivery to "Directory" and "File" have 3 shared attribute options.
The criteria of Threshold Alert can be based on any one or more measurements, Bytes/bps/Packets/pps/Flows/Count/TcpFlags etc.
There are 3 threshold levels available Information (Green), Warning (Yellow) and Critical (Red). The alert events for the 3 level will be collected accordingly with their criteria.
Clicking on the left menu "Threshold Alert" under "Anomaly Detection" in "My Analytics" will list all generated Threshold Alerts in the "Alert" screen.
The "Threshold Alerts" screen allows maintenance operations on the existing Threshold Alerts. The bold button reflects the current command status.
Where a traffic analysis already has measurement or time fields in the Criteria in the Dimensions the analysis cannot be saved as an alert.The Threshold Alert can be checked at minimum in 1 minute intervals.
Click on the top toolbar "Save" button in "Forensics" or "Custom Forensics" screen to save the customized "Forensics" traffic analysis as a Threshold Alert.
The measurement "Threshold Alert Criteria" must be defined for the Threshold Alert to function.
Command Buttons
- Save New - Save as a new Threshold Alert. Where the Threshold Alert is based on an existing Threshold Alert the original Threshold Alert will not be changed.
- Save Back - Save back to the original alert after modifying some options.
- Report - Go back to Forensics screen to check or adjust the alert traffic options in "Forensics".
- Filter - Go back to "Custom Forensics" to adjust the alert traffic options in "Forensics".
- Suspend - Suspend this alert.
- Resume - Recover checking this alert.
- Cancel - Go back to the previous page.
- Delete - Delete this alert if it exists.
Name of the Threshold Alert.
Description
Additional information for the Threshold Alert.
Report Type
Choose "Threshold Alert" to save as a fixed measurement Threshold Alert.
Other available options allow you to save this report as a Template, a Scheduled Report, a Threshold Alert or an Intelligent Baseline Anomaly Detection Alert.
Category
The category is fixed as "Threshold Alert".
Add Link
Enabling the "Add Link" option will add an icon to the generated Threshold Alert. The icon provides a click back link to the "Forensics" screen from the generated Threshold Alert.
In order for the click back to function correctly the server must be correctly configured in the "Site Configuration" screen under "Administrator" in the "Configuration" panel.
Data Period
Data Period is set to Schedule Frequency - Alert is checked each interval.
Definition
The following options in "Custom Forensics" and "Forensics" Filter tab can be overwritten here.
- "Aggregated Data",
- "Report Layout" and
- "Duplication"
Defines the alert checking start time point.
Schedule To
Defines the alert end time point.
Available if "Run Indefinitely" is un-ticked.
Run Indefinitely
The alert will be active indefinitely if it is ticked on.
Wait for Delayed
When the alert includes multiple devices/exporters (routers or switches), the Threshold Alert will be delayed to run until all active device data has reached the scheduled time points. This is to ensure that alerts maintain integrity when dependent on multiple inputs.
Priority
Defines the priority of the alert.
Alert Category
Defines a category for the alert.
The alert category can be added in "Alert Category" screen, which can be entered by clicking the left menu "Category" under the Alert Administration in the "My Analytics" panel.
on No Data
Send an alert when there is no data for the defined traffic by "Forensics" if it is ticked on.
Alerting Level
Send an alert only when the defined thresholds are breached.
- Critical - Only alerting over critical events.
- Warning - Alerting over warning and critical events.
- Information - Alerting over information,warning and critical events.
Alerts only when the threshold is breached N times within the defined M minutes period.
This option helps to reduce False Positives which can arise in threshold alerting.
CySight provides a Network Behavior Anomaly Detection module called Intelligent Baseline Anomaly Detection that learns the expected thresholds for a monitored data item and alerts only when the breach occurs for the learnt threshold for the time of day and day of week substantially reducing False Positives.
Delivery
The Threshold Alert can be sent to one or more email addresses. The SMTP server and its service port, sender address and subject must be configured properly to allow send schedule report.
The Threshold Alert can be sent to an SNMP trap server.
The SNMP trap server and its relative information must be correctly configured in the "Site Configuration" screen.
The SNMP Trap codes are defined in the "SNMP Trap Code" screen.
The Threshold Alert can be specified to save to a directory in the Report Repository with each scheduled time stamp as the report name affix or copied to a specified report name in the report repository for viewing or to enable other applications to refer to the automatically refreshed file.
Delivery to "Directory" and "File" have 3 shared attribute options.
- Private - only allows the report Owner and Administrator to browse the alert in the Report Repository.
- Shared - allows any user who is logged into CySight to browse the alert.
- Public - allows anyone to browse the given alert using a specified URL without being logged into CySight.
The criteria of Threshold Alert can be based on any one or more measurements, Bytes/bps/Packets/pps/Flows/Count/TcpFlags etc.
There are 3 threshold levels available Information (Green), Warning (Yellow) and Critical (Red). The alert events for the 3 level will be collected accordingly with their criteria.
Clicking on the left menu "Threshold Alert" under "Anomaly Detection" in "My Analytics" will list all generated Threshold Alerts in the "Alert" screen.
The "Threshold Alerts" screen allows maintenance operations on the existing Threshold Alerts. The bold button reflects the current command status.
- Search - Click the "Search" button to expand the fields panel. Choose operator and enter value, then press "Confirm" button to list the matched Threshold Alerts.
- Edit - Click the "Edit" button and highlight a Threshold Alert in the grid, then press "Confirm" to modify the Threshold Alert.
- Report - Click the "Report" button and highlight a Threshold Alert in the grid, then press "Confirm" to go to Forensics Report to check or adjust the "Forensics" options.
- Filter - Click the "Filter" button and highlight a Threshold Alert in the grid, then press "Confirm" to go to "Custom Forensics" to adjust the "Forensics" options and criteria.
- Delete - Click the "Delete" button and highlight a Threshold Alert in the grid, then press "Confirm" to delete the highlighted Threshold Alert.
- Suspend - Click the "Suspend" button and highlight a Threshold Alert in the grid, then press "Confirm" to suspend the highlighted Threshold Alert.
- Suspend All - Click the "Suspend All" button, then press "Confirm" to suspend all current listed Threshold Alerts.
- Resume - Click the "Resume" button and highlight a Threshold Alert in the grid, then press "Confirm" to resume highlighted Threshold Alert.
- Resume All - Click the "Resume All" button, then press "Confirm" to resume all current listed Threshold Alert.
Time fields like Year, Month, Day, Weekday, Hour, Minute are not allowed to be in the criteria when Forensics is saved as a Threshold Alert