The following provides an overview of creating and monitoring alerts:
Configure alert rules to create alerts when a matching event occurs.
An alert contains almost the same information as the related event and also includes additional information specific to the alert, such as owner, state, and priority.
As Change Guardian detects subsequent instances of the same alert, the product associates the trigger events to the existing alert to avoid duplication of alerts.
View and monitor alerts in the Alert Dashboard.
As you monitor alerts, you can assign alerts to different users and roles, track the alert from origination to resolution, and annotate the alert rule by adding information to the knowledge base.
NOTE:When you create Office 365 and Exchange alerts based on event names, include the following policy definitions: " includes events only when event name matches Exchange server/... " and "includes events only when generated by policies policies". This ensures that you receive separate events for Office 365 and Exchange. If you do not add the conditions in the policy definition, Change Guardian might raise two alerts for the same event, because user operations are common in Office 365 and Exchange.
This section provides the following information:
Change Guardian automatically associates the relevant events and identities with the alert to help you determine the root cause of potential threat. For example, you can create an alert rule to alert you when the same user violates the same policy a specified number of times on the same asset within a specified time frame.
Configure alert rules to create alerts when a matching event occurs. An alert contains almost the same information as the related event and also includes additional information specific to the alert, such as owner, state, and priority.
NOTE:If you are using Change Guardian in a mixed environment with Sentinel, the alert rules you create in Change Guardian are available as correlation rules in the Sentinel web console. For best results in a mixed environment, use Sentinel to manage these rules.
Policy Editor allows you to create, delete, edit, redeploy, and view alerts.
To create an alert rule:
Log in to Policy Editor.
To open Alert Rules window, click Settings > Alert Rules.
Select an alert view:
All alert rules
Alert rules grouped according to the associated event destination
Specify the following details:
The alert rule name of your choice.
The alert rule name supports only alphanumeric characters and underscores. Special characters, such as -!`~#$%^&()+=[],;. and space, are not supported
The policy or policies that you want to be alerted on.
If you do not specify one or more policies, the alert rule is applicable for all policies.
The option to create an alert with a filter for a specific pattern.
For example to select every policy name with DNS in the title, the alert rule creates alerts for all policies that contain DNS in the policy name, such as DNS Configuration.
Whether you want to be alerted on severity and severity range.
The event name or event names that you want to be alerted on.
You can optionally add additional granularity by adding event name as filter criteria when you create any alert rule.
Following are a few categories for event names:
Active Directory
Configuration
File Systems
Group
Group Policy
Processes
User Accounts
Windows Specifics
The event field or event fields that you want to be alerted on.
Whether you want to be alerted on managed or unmanaged users.
Whether you want to be alerted on event outcome.
Whether you want to be alerted on IP address and its subnet.
Alert criteria that further define the specific circumstances under which the alert rule creates an alert for the specified policies:
Generate an alert when an event occurs a specified number of times in a specified time frame.
Group alerts according to the specified event attributes.
The event destinations to which you want to deploy the alert rule. By default, all available event destinations are selected.
NOTE:When you create an alert rule, Change Guardian uses the user account logged into Policy Editor. You can also associate a different user account with an additional event destination. Both of these user accounts must have Manage all alerts and Manage Correlation Engines/Rules permissions.
When you create an alert rule and save, Change Guardian automatically deploys the alert rule to the event destination you specify.
If you make changes to the alert rule, such as modifying its alert criteria or adding information to the knowledge base and save, the alert rule is also redeployed automatically, to the given event destination. You can also redeploy the alert rule manually. Redeploying an alert rule ensures the event destination has the most recent version of the alert rule. For more information about the alert knowledge base, see the “Viewing and Triaging Alerts in Alert Views” in the Change Guardian User Guide.
To ensure alert rules generate alerts on the alternate event destinations when both the default and the alternate event destinations are FIPS-enabled, you must replicate the certificates from the alternate event destination to the default event destination.
To ensure all event destinations receive alerts:
Download the certificates from the following location, and place them in a temporary location, such as /tmp:
file: /etc/opt/novell/sentinel/config/sentinel.cer
Change the credentials as follows:
# chown novell:novell /path to certificate
# chmod 644 /path to certificate
At the command prompt and go to /opt/novell/sentinel/bin.
Run the following command for all alternate event destinations:
./convert_to_fips.sh -i /path to certificate
Restart the default event destination server.