Activating an alert

SureLog only uses activated alerts and ignores all other alerts. Therefore, SureLog cannot use alerts until the user activates them. This is done by using the Alerts menu and activating selected alerts.

To enable alerts:

  1. Open the Alerts view
  2. In the left pane, select the desired to alerts enable
  3. In the Alerts grid, select the alerts (or alerts) for activation
  4. Enable the alerts as follows:

To enable a single alert, click the Activate Selected button

To enable multiple rules, select the alerts first and then click the Activate Selected button

The in the below shows how the users activate multiple alerts:

    1. Select the alerts to be activated
    2. Select Activate Selected button

The figure in the below shows activation of the alerts after the steps pointed out above:

Note that in case a rule is updated, an alert related with that rule should be re-activated.

To add an alert for a rule:

  1. Open the Alerts view
  2. In the left pane, select Add New Alert button
  3. Enter a name and description for the alert as shown in the figure below
  4. Select Add Rule Tab in the figure above to add a rule

Here the user can select From Wizard to add a custom rule or From Template to add a template rule in the figure below

  1. Select From Wizard to add the custom rule
  2. Mark the rule from the list and select Add
  3. Mark Send E-mail so that the alert can be sent to the user via E-mail
  4. Mark Send to Group so that the alert can be sent to group via E-mail
  5. Enter a subject line for E-mail
  6. Mark Add Date and Add Alert Name to include date and alert name in the E-mail
  7. Select Add Attributes to add attributes to E-mail
  8. Select the relevant attributes
  9. Select Add button to add the selected attributes
  10. Select Submit Tab to save the alert
  11. Check that the alert is appeared in the Alerts list as shown in the figure below:
  12. Mark the check box in front of the alert name and select Activate Selected button to activate the alert.

The users can set suspend time for a rule to limit mail sending rate. This situation can be explained with the following sample scenario:

Warn once, if more than 100 packets are blocked by UTM/Firewall device from the same source IP in one minute and don’t warn again within an hour. (Millions of packets are blocked in case of DDOS attack. If mails are sent for all those warnings, you are exposed to yourself DDOS attack.)

The user can set suspend time as 1 hour for the sample scenario explained above as shown in the figure below:

The user can combine multiple correlation rules in an alert as shown in the figure below:

The user can add time period for consecutive rules as shown in the figure below:

According to figure shown above, the first rule will run firstly and in 5 minutes the second rule will run. The running of all these rules triggers the alert.

results matching ""

    No results matching ""