The Alert Rules window in the Policy Editor allows you to:
Create alert rules
Edit alert rules
Delete alert rules
Redeploy alert rules
View the status of alerts
On the Alert Rules window, you can choose one of the following views:
All alert rules
Alert rules grouped according to the associated event destination
To access the Alert Rules window, on the Settings menu, click Alert Rules.
Change Guardian automatically associates the relevant events and identities with the alert to help you determine the root cause of potential threat. For example, you can create an alert rule to alert you when the same user violates the same policy a specified number of times on the same asset within a specified time frame.
NOTE:If you are using Change Guardian in a mixed environment with Sentinel, the alert rules you create in Change Guardian are available as correlation rules in the Sentinel web console. For best results in a mixed environment, use Sentinel to manage these rules.
When you create an alert rule, specify the following:
The alert rule name of your choice.The alert rule name supports only alphanumeric characters and underscores. Special characters, such as -!`~#$%^&()+=[],;. and space, are not supported.
The policy or policies that you want to be alerted on. If you do not specify one or more policies, the alert rule is applicable for all policies.
The option to create an alert with a filter for a specific pattern.For example to select every policy name with DNS in the title, the alert rule creates alerts for all policies that contain DNS in the policy name, such as DNS Configuration.
Whether you want to be alerted on severity and severity range.
The event name or event names that you want to be alerted on. You can optionally add additional granularity by adding event name as filter criteria when you create any alert rule.
Following are the categories for event names:
Active Directory
Configuration
File Systems
Group
Group Policy
Processes
User Accounts
Windows Specifics
The event field or event fields that you want to be alerted on.
Whether you want to be alerted on managed or unmanaged users.
Whether you want to be alerted on event outcome.
Whether you want to be alerted on IP address and its subnet.
Alert criteria that further define the specific circumstances under which the alert rule creates an alert for the specified policies:
Generate an alert when an event occurs a specified number of times in a specified time frame.
Group alerts according to the specified event attributes.
The event destinations to which you want to deploy the alert rule. By default, all available event destinations are selected.
By default, when you create an alert rule, Change Guardian uses the user account logged into Policy Editor. You can also associate a different user account with an additional event destination.Both of these user accounts must have Manage all alerts and Manage Correlation Engines/Rules permissions.
For more information about event destinations, see Understanding Event Destinations.
When you create an alert rule and save, Change Guardian automatically deploys the alert rule to the event destination you specify.
If you make changes to the alert rule, such as modifying its alert criteria or adding information to the knowledge base and save, the alert rule is also redeployed automatically, to the given event destination. You can also redeploy the alert rule manually. Redeploying an alert rule ensures the event destination has the most recent version of the alert rule. For more information about the alert knowledge base, see Viewing Alerts.
To ensure alert rules on the alternate event destinations generate alerts when the default event destination is FIPS-enabled, you must replicate the certificates from the alternate event destination to the default event destination.
Download the certificates from the following location, and place them in a temporary location, such as /tmp:
file: /etc/opt/novell/sentinel/config/sentinel.cer
Change the credentials as follows:
# chown novell:novell /path to certificate
# chmod 644 /path to certificate
Open a command prompt and go to /opt/novell/sentinel/bin.
Run the following command for all alternate event destinations:
./convert_to_fips.sh -i /path to certificate
Restart the default event destination server.