Document toolboxDocument toolbox

Create and manage anti-flooding policies

About anti-flooding policies

Anti-flooding policies limit the number of alerts to distribute in the event that the alert is triggered frequently over a short period of time. This is done to avoid inundating recipients with repeated notifications when an alert condition persists.

You will associate anti-flooding policies with sending policies to make use of them. The default anti-flooding policy dictates that a single alert may be distributed to any recipient up to five times over the course of one hour. You can use this rule, called default AF, edit it, or you can create additional policies as needed.

Anti-flooding policies are managed in the Administration → Alert configuration area, in the Alert Policies top tab, inside the Anti-flooding Policy left tab.

Devo internal mechanisms

Triggered alert discarding → Apart from explicit anti-flooding policies, Devo possesses an intrinsic anti-flooding system that offers an additional layer of protection against alert flooding. Alerts will be discarded after receiving 100 in every five-minute period. This system is always active but becomes especially useful when no anti-flooding policy is selected because setting one will create a more restrictive environment that will make it impossible to reach the conditions to activate this system.

Alert definition deactivation → Devo also has an internal mechanism called AlertRateChecker, which shields you from extreme cases of alert flooding. It deactivates alert definitions upon exceeding a given TREND or SPIKE. Even though they can be configured, the default TREND is 100 alerts per minute several times in every five-minute period, and the default SPIKE is 5000 alerts in a single minute.

What permissions do I need?

To access the Administration → Alert Configuration area you need to have a role with the Manage version of the Alert configuration permission, which also enables the Alert Policies tab. If you only have the View version of this permission, you will not be able to perform any task here.

Create an anti-flooding policy

Click the New button at the top right and the Anti-flooding Policy window appears. Enter the required settings and click Create. Once created, the anti-flooding policy is available to use when configuring sending policies (visit Create and manage sending policies to know more).

Policy name

Unique name that identifies the policy. Enter one that allows you to easily identify the rule it contains.

Send a maximum of (...) Alerts

Maximum number of alerts that will be sent. If more alerts are triggered, they will not be sent, however, the Alerts Dashboard will always keep a record of every time the alert is triggered.

You can also query the complete history of alerts triggered in the siem.logtrust.alert.info table and the complete history of alerts not triggered because of an anti-flooding policy or any other reason in the siem.logtrust.alert.error table. Click here to know more about these tables.

Over a period of

Establish the periodicity used to keep track of the alert counter in order to limit the alert distribution.

Amount of time

Write the desired number or use the arrows to add or subtract one by one.

Time unit

Select one from the drop-down (minutes, hours, days). If you select minutes, the minimum amount of time you can set is 5 minutes. 

5 alerts per minute

To keep anti-flooding policies restrictive enough to serve their purpose, the highest threshold you can establish to start discarding alerts is 5 alerts per minute.

Edit an anti-flooding policy

Find the desired anti-flooding policy and click the ellipsis icon that appears at the end of the row. Select Edit, make the necessary changes in the Anti-flooding policy window, and click Update.

Delete an anti-flooding policy

Find the desired anti-flooding policy and click the ellipsis icon that appears at the end of the row. Select Delete and confirm the warning message that appears.

Â