Security policy alerting thresholds

An alerting threshold is specified in terms of an event severity. When the severity of an event equals or exceeds an alerting threshold, it causes NetProfiler to send an alert.

There is a default alerting threshold rule for each policy that has adjustable severity levels. The default rule specifies the severity levels that must be reached or exceeded to trigger Low, Medium and High alerts.  However, you can restrict particular alerting thresholds to specified source hosts or host groups, destination hosts or host groups, or both, depending on the type of event.  

Disabling or enabling alerting threshold checking

Precedence of alerting threshold rules

Requirements for matching an alerting rule

Adding an alerting  rule

Modifying or removing an alerting  rule

Managing the number of alerts

Alerting threshold rules

For each policy that has an alerting threshold, you can set Low, Medium, and High alerting thresholds for:

  • individual hosts

  • CIDR blocks of hosts

  • host groups

Additionally, you can set alerting thresholds that are limited to hosts that use or provide services using specific protocols or ports. Protocol- and port-based alerting thresholds are available for the following event types:

  • Denial of Service/Bandwidth Surge

  • Worm

  • Host Scan

  • Port Scan

  • Suspicious Connection

For each event type that supports alerting thresholds, you can set different alerting thresholds for different hosts or host groups. For example, assume that you set the default alerting threshold for an event type to trigger a low level alert when the severity of an event of that type reaches or exceeds 60. Then you add a rule specifying that, if any traffic involved in an event of that type is in the range of 10.0.0.0/16, NetProfiler should send a Low level alert when the event severity reaches 40.  

The result of this will be that an event with the severity of, for example, 50 will trigger a Low level alert only if traffic in the range of 10.0.0.0/16 is involved.  If all traffic involved in the event is outside this range, the NetProfiler does not send an alert until the event severity is 60.

Requirements for matching an alerting rule

In order for an event severity to match an alerting rule,

  • If the alerting rule specifies source hosts, then all source hosts in the event must be within the source host specification of the alerting rule.

  • If the alerting rule specifies destination hosts, then all destination hosts in the event must be within the destination host specification of the alerting rule.

  • If the alerting rule specifies protocols or ports, then all protocols or ports in the event must be within the specification of the alerting rule.

If sources, destinations, protocols or ports is not applicable for the type of event for which the alerting rule is specified, it is treated as "Any."

Disabling or enabling alerting threshold checking

You can disable alerting for high, medium or low alerting thresholds for any particular alerting rule.  Note that this is separate from disabling event detection.  If you use the Definitions > Policies page Security tab Enable/Disable control to disable a policy, then events normally detected by that policy are not recognized and no alerts can be generated for that policy.

If a policy is enabled, then you can enable or disable threshold checking for one or more alert levels in alerting rules for that event type.

To disable or enable alert threshold checking:

  1. Go to the Definitions > Policies page Security tab.

  2. Select the policy for which you want to disable or enable an alerting threshold rule.

  3. Select the alerting threshold rule.

  4. Click Edit. This displays a threshold settings page.

  5. On the Threshold Settings page, click Disable or Enable, as applicable, beside the threshold level.

  6. Click OK.

Precedence of alerting threshold rules

When you create multiple alerting threshold rules for a policy, each rule appears in the Alerting Thresholds list. NetProfiler checks the severity of events of that policy against each rule in the list in the order in which the rules appear in the list. When it finds a rule that meets the criteria for an alert, it uses that rule and ignores all subsequent rules in the list.

You can change the location of a rule in the list by selecting it, then using the up arrow or down arrow to move the rule up or down in the list.  Moving a rule up gives it precedence over the rules that follow it in the list.  An exception to this is the default rule of Any, which always appears last in the list and has no arrows.  If none of the other rules in the list apply, then NetProfiler uses the default alerting rule.

Adding alerting thresholds to security policies

Security policies

Alerting

Top