15.2 Managing Alert Rules

The Alert Rules window in the Policy Editor allows you to:

  • Create alert rules

  • Edit alert rules

  • Delete alert rules

  • Redeploy alert rules

  • View the status of alerts

On the Alert Rules window, you can choose one of the following views:

  • All alert rules

  • Alert rules grouped according to the associated event destination

To access the Alert Rules window, on the Settings menu, click Alert Rules.

Change Guardian automatically associates the relevant events and identities with the alert to help you determine the root cause of potential threat. For example, you can create an alert rule to alert you when the same user violates the same policy a specified number of times on the same asset within a specified time frame.

NOTE:If you are using Change Guardian in a mixed environment with NetIQ Sentinel, the alert rules you create in Change Guardian are available as correlation rules in the Sentinel web console. For best results in a mixed environment, use Sentinel to manage these rules.

15.2.1 Creating an Alert Rule

When you create an alert rule, specify the following:

  • The policy or policies you want to monitor for events. If you do not specify one or more policies, the alert rule creates an alert for all events for all policies.

  • An optional pattern the events must match before the alert rule creates an alert. For example, if you monitor the policy name for DNS, the alert rule creates alerts for all policies that contain DNS in the policy name, such as DNS Configuration and Process and DNS.

  • Whether you want to monitor managed or unmanaged users.

  • Alert criteria that further define the specific circumstances under which the alert rule creates an alert for the specified policies:

    • Generate an alert when an event occurs a specified number of times in a specified time frame.

    • Group alerts according to the specified event attribute.

  • The event destinations to which you want to deploy the alert rule. By default, all available event destinations are selected.

By default, when you create an alert rule, Change Guardian uses the user account associated with the event destination, which is typically the eventdispatcher user. This user account has the Manage correlation rule permission. If a user creates an event destination and associates a different user account, that account must have the Manage correlation rule permission.

NOTE:The alert rule name supports only alphanumeric characters and underscores. Special characters, such as -!`~#$%^&()+=[],;. and space, are not supported.

For more information about event destinations, see Understanding Event Destinations.

15.2.2 Redeploying Alert Rules

When you create an alert rule, Change Guardian automatically deploys the alert rule to the event destination you specify.

If you make changes to the alert rule, such as modifying its alert criteria or adding information to the knowledge base, you can redeploy it to the event destination. Redeploying an alert rule ensures the event destination has the most recent version of the alert rule. For more information about the alert knowledge base, see Viewing Alerts.

15.2.3 Ensuring Alternate Event Destinations Receive Alerts

To ensure alert rules on the alternate event destinations generate alerts when the default event destination is FIPS-enabled, you must replicate the certificates from the alternate event destination to the default event destination.

  1. Download the certificates from the following location, and place them in a temporary location, such as /tmp:

    file: /etc/opt/novell/sentinel/config/sentinel.cer

  2. Change the credentials as follows:

    • # chown novell:novell /path to certificate

    • # chmod 644 /path to certificate

  3. Open a command prompt and go to /opt/novell/sentinel/bin.

  4. Run the following command for all alternate event destinations:

    ./convert_to_fips.sh -i /path to certificate

  5. Restart the default event destination server.