Versions Compared

Old Version 9

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You will associate anti-flooding policies with sending policies to make use of them. The default anti-flooding policy dictates that a single alert may be distributed to any recipient up to five times over the course of one hour and, if it persists, a reminder is sent after another hour passes. You can use this rule, called default AF, edit it, or you can create additional policies as needed.

...

Info

Devo internal mechanisms

Triggered alert discarding → Apart from explicit anti-flooding policies, Devo possesses an intrinsic anti-flooding system that offers an additional layer of protection against alert flooding. Alerts will be discarded after receiving 100 in every five-minute period. This system is always active but becomes especially useful when no anti-flooding policy is selected because setting one will create a more restrictive environment that will make it impossible to reach the conditions to activate this system.

Alert definition deactivation → Devo also has an internal mechanism called AlertRateChecker, which shields you from extreme cases of alert flooding. It deactivates alert definitions upon exceeding a TREND of 100 given TREND or SPIKE. Even though they can be configured, the default TREND is 100 alerts per minute several times in every five-minute period, or a SPIKE of 5000 and the default SPIKE is 5000 alerts in a single minute.

...

What permissions do I need?

...

Click the New button at the top right and the Anti-flooding Policy window appears. Enter the required settings and click Create. Once created, the anti-flooding policy is available to use when configuring sending policies (visit Manage Create and manage sending policies to know more).

...

Policy name

Unique name that identifies the policy. Enter one that allows you to easily identify the rule it contains.

Send a maximum of (...) Alerts

Maximum number of alerts that will be sent. If more alerts are triggered, they will not be sent, however, the Alerts Dashboard will always keep a record of every time the alert is triggered.

You can also query the complete history of alerts triggered in the siem.logtrust.alert.info table and the complete history of alerts not triggered because of an anti-flooding policy or any other reason in the siem.logtrust.alert.error table. Click here to know more about these tables.

Over a period of

Establish the periodicity used to keep track of the alert counter in order to limit the alert distribution.

Amount of time

Write the desired number or use the arrows to add or subtract one by one.

Time unit

Select one from the drop-down (minutes, hours, days). If you select minutes, the minimum amount of time you can set is 5 minutes. 

...