Configuration of Advanced Alerts
As an administrator, you can change the configuration settings of Advanced Alerts.
Triggers describe what action should be taken when a correlation Blok is triggered. If several triggers are associated with the same correlation Blok, all of them are triggered. When a trigger is activated, an alert is sent out in the form of an email or syslog notification.
Advanced Alerts are configured in LogLogic LMI. The alert configuration includes the following settings:- A list of categories for acknowledgement and triggers: such as Attack on Third Party or Security Alert
- A list of severities
- The working hours, in 24-hour time format: for each day, you can specify up to two time ranges. For example, if you specify 08:30-12:30 and 13:30-18:00, it indicates a break of one hour between 12:00 PM and 6:00 PM.
- The SLA for each severity, in minutes: for example:"medium": "240" indicates that the SLA for a medium severity alert is 240 minutes.
Example: Suppose the working hours are set as per the following sample configuration file, the SLA for a medium alert is 240 minutes, that is, 4 hours, and the alert arrives on Monday at 11:30 AM. The SLA time is calculated by considering breaks in the working hours, if any. Therefore, in this case, the alert expires at 16:30 hrs or 04:00 PM, considering there is a one-hour break in the working hours of Monday.
- The alert purge interval in hours, when the alert purge task must be triggered. The default value is 24.
- The alert retention policy, in days.
Sample Configuration File
The following is a sample file that includes all settings for advanced alerts. In a browser, type the URL: <appliance_IP>/monitoring and then navigate to /unity/system/config/alerting/tenant1. The path mentioned in nodePath must be /unity/system/config/alerting/tenant1. The values shown in the following sample file are the default values stored in LogLogic LMI.
{ "configurations": [ { "nodePath": "/unity/system/config/alerting/tenant1", "data": { "Categories": [ "Attack on third party2", "Authorized Activity", "Authorized security testing", "Emergency changes", "False positive", "Known error", "LogLogic Event", "Network Noise", "Security Alert", "Suspicious Activity", "Unauthorized Activity", "Unknown" ], "Severities": [ "Info", "Low", "Medium", "High" ], "workHours": { "monday": { "morning": "08:00-12:30", "afternoon": "13:30-17:30" }, "tuesday": { "morning": "08:00-12:30", "afternoon": "13:30-17:30" }, "wednesday": { "morning": "08:00-12:30", "afternoon": "13:30-17:30" }, "thursday": { "morning": "08:00-12:30", "afternoon": "13:30-17:30" }, "friday": { "morning": "08:00-12:30", "afternoon": "13:30-17:30" } }, "slaForSeverity": { "Info": "1440", "Low": "720", "Medium": "240", "High": "60", "None": "10" }, "alertPurgeSchedulerInterval" : 24, "alertsDaysOfRetention" : 90 } } ] }