Alerting in CSA 5.0

Unanswered Question
Jun 4th, 2007

This isn't so much a technical question, but more a stylistic one...


Our Network group wants to set up paging in our CSA deployment, but obviously doesn't want pages for every little Alert that comes up.


Does anyone have any examples of alerts they set up in their CSA deployment? Just wanted to get an idea what rules to focus on that would indicate a network attack or trouble...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
tsteger1 Mon, 06/04/2007 - 09:05

We use an email account in a similar way with seven categories of alerts:


Application and COM invocation email alert rule.


Critical events (agent or MC problems)

Malware related event email alert rule


Portscan event email alert rule

Significant Network Event email alert rule

WSUS failures (goes to Service Desk to fix)

Suspend Agent event email alert rule


The thresholds and events are defined in the event sets and we filter false positives using email rules. You could probably do the same for Global Event correlation and portscans and use a pager.


The challenge is making it only notify you if you need to be notified so you don't start to ignore it.


Tom




Actions

This Discussion