Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
252
Views
4
Helpful
1
Replies

Alerting in CSA 5.0

joseph.hamilton
Level 1
Level 1

‎06-04-2007 06:08 AM - edited ‎03-09-2019 06:06 PM

This isn't so much a technical question, but more a stylistic one...

Our Network group wants to set up paging in our CSA deployment, but obviously doesn't want pages for every little Alert that comes up.

Does anyone have any examples of alerts they set up in their CSA deployment? Just wanted to get an idea what rules to focus on that would indicate a network attack or trouble...

Labels:
0 Helpful
1 Reply 1

tsteger1
Level 8
Level 8

‎06-04-2007 09:05 AM

We use an email account in a similar way with seven categories of alerts:

Application and COM invocation email alert rule.

Critical events (agent or MC problems)

Malware related event email alert rule

Portscan event email alert rule

Significant Network Event email alert rule

WSUS failures (goes to Service Desk to fix)

Suspend Agent event email alert rule

The thresholds and events are defined in the event sets and we filter false positives using email rules. You could probably do the same for Global Event correlation and portscans and use a pager.

The challenge is making it only notify you if you need to be notified so you don't start to ignore it.

Tom

Customers Also Viewed These Support Documents