Managing the number of alerts
The NetProfiler features two tools for helping you manage the number of alerts:
Threshold Advisor – a quick way to deal with non-critical alerts that are appearing more often than is useful
Event Tuning Analyzer – a tool for getting a better understanding of how threshold settings are impacting the number of alerts being generated
Event Tuning Analyzer
To tune the number of alerts triggered by events:
-
Go to the Definitions > Policies page Security tab.
-
Select the Show alert counts for the last check box and specify the time period for which alerting is to be analyzed.
-
Examine the number of events that caused Low, Medium, or High alerts during the selected time period.
-
In the Configured Policies section, select the policy you want to tune.
-
In the Alerting Thresholds section, select the alerting threshold specification you want to adjust.
-
Click Analyze. This displays the Event Tuning Analysis page.
-
On the Event Tuning Analysis page, select a time period, such as the last day, for which event alerting is to be analyzed. For best results, use a time period during which the selected alerting thresholds were not adjusted.
-
Click Recalculate. (It is not necessary to recalculate if you keep the default time period of the last day.)
-
Click Help for a description of the red, orange, yellow and gray color coding on the graph.
-
Check the Alert Counts values to see there are too many or too few alerts being triggered by this type of event.
-
If there are too many Low, Medium or High alerts being triggered, raise the alerting threshold for the alert level in the Thresholds box.
-
If there are too few Low, Medium or High alerts being triggered, lower the alerting threshold for the alert level in the Thresholds box. (When lowering the Low alert threshold, note that the graph does not show events that had severities lower than the Low threshold at the time they occurred.)
-
-
Click Recalculate to see how many alerts would have been triggered during the selected time period if the alerting thresholds had been as you just set them in the previous step.
-
If you are satisfied with the results, click OK to reset the thresholds for the policy. If not, repeat the steps above until the numbers of Low, Medium, and High alerts are what you would want for the selected time period.
If this approach results in Low, Medium and High alerting thresholds that are too close to one another, you may be able to give yourself a larger range of severities to work with by modifying the severity that the event detection analytic assigns to the event.