Adding alerting thresholds to security policies

To specify Low, Medium, and High alerting thresholds for a security policy:

  1. Go to the Definitions > Policies page Security tab.

  2. In the Configured Policies list, select the policy for which you want to set alerting thresholds. This displays the alerting threshold settings for the selected policy.

  3. In the Alerting Thresholds section, click New.  This displays the threshold settings page for the policy you have selected.

  4. Enter the severity levels at which events are to trigger Low, Medium, and High alerts.

  5. Select the type of groups to list in the Groups box.

  6. Select Hosts or Groups, as applicable.

    • If you are setting thresholds for hosts, enter the hosts as CIDR blocks or individual IP addresses or host names.  Use either a comma-separated list or a separate line for each.  "Any" is a valid entry.

    • If you are setting thresholds for host groups, multi-select (Control-click) the groups to which the thresholds apply.

  7. If you are setting thresholds on protocols or ports:

    • Use the Browse link to identify protocols or ports and add them to the list.

    • Alternatively, enter the ports in protocol-port format or enter protocols by protocol name.

    • Use either a comma-separated list or a separate line for each.  "Any" is a valid entry, but ensure the box does not contain both Any and other entries.

  8. Click OK. The Threshold Settings page closes and the new thresholds are displayed.

Modifying or removing an alerting threshold

Alerting thresholds