Document toolboxDocument toolbox

Manage anti-flooding policies

Anti-flooding policies limit the number of alerts to distribute in the event that the alert is triggered frequently over a short period of time. This is done to avoid inundating recipients with repeated notifications when an alert condition persists.

The default anti-flooding policy dictates that a single alert may be distributed to any recipient up to five times over the course of one hour and, if it persists, a reminder is sent after another hour passes. You can use this rule, called default AF, edit it, or you can create additional policies as needed.

Devo internal mechanisms

Apart from explicit anti-flooding policies, Devo possesses an intrinsic anti-flooding system that offers an additional layer of protection against alert flooding. Alerts will be discarded after receiving 100 in every five-minute period. This system is always active but becomes especially useful when no anti-flooding policy is selected because setting one will create a more restrictive environment that will make it impossible to reach the conditions to activate this system.

Devo also has an internal mechanism called AlertRateChecker, which shields you from extreme cases of alert flooding. It deactivates alert definitions upon exceeding a TREND of 100 per minute several times in every five-minute period, or a SPIKE of 5000 in a single minute.

Anti-flooding policies are managed in the Administration → Alert configuration area, in the Alert Policies top tab, inside the Anti-flooding Policy left tab.

Create an anti-flooding policy

Click the New button at the top right and the Anti-flooding Policy window appears. Enter the required settings and click Save. Once created, the anti-flooding policy is available to use when configuring sending policies (visit Manage sending policies to know more).

Policy name

Unique name that identifies the policy. Enter one that allows you to easily identify the rule it contains.

Send a maximum of (...) Alerts

Maximum number of alerts that will be sent. If more alerts are triggered, they will not be sent, however, the Alerts Dashboard will always keep a record of every time the alert is triggered.

You can also query the complete history of alerts triggered in the siem.logtrust.alert.info table and the complete history of alerts not triggered because of an anti-flooding policy or any other reason in the siem.logtrust.alert.error table. Click here to know more about these tables.

Over a period of

Establish the periodicity used to keep track of the alert counter in order to limit the alert distribution.

Amount of time

Write the desired number or use the arrows to add or subtract one by one.

Time unit

Select one from the drop-down (minutes, hours, days). If you select minutes, the minimum amount of time you can set is 5 minutes. 

5 alerts per minute

To keep anti-flooding policies restrictive enough to serve their purpose, the highest threshold you can establish to start discarding alerts is 5 alerts per minute.

Edit an anti-flooding policy

Find the desired anti-flooding policy and click the ellipsis icon that appears at the end of the row. Select Edit, make the necessary changes in the Anti-flooding policy window, and click Update.

Delete an anti-flooding policy

Find the desired anti-flooding policy and click the ellipsis icon that appears at the end of the row. Select Delete and confirm the warning message that appears.

 

Related articles: