8.3 Creating and Managing Alert Rules

The following provides an overview of creating and monitoring alerts:

  1. Configure alert rules to create alerts when a matching event occurs.

    An alert contains almost the same information as the related event and also includes additional information specific to the alert, such as owner, state, and priority.

    As Change Guardian detects subsequent instances of the same alert, the product associates the trigger events to the existing alert to avoid duplication of alerts.

  2. View and monitor alerts in the Administration Console.

    As you monitor alerts, you can assign alerts to different users and roles, track the alert from origination to resolution, and annotate the alert rule by adding information to the knowledge base.

  3. Configure alert retention policies to specify when to automatically close and delete the alerts from Change Guardian.

8.3.1 Creating Alert Rules

Change Guardian automatically associates the relevant events and identities with the alert to help you determine the root cause of potential threat. For example, you can create an alert rule to alert you when the same user violates the same policy a specified number of times on the same asset within a specified time frame.

Configure alert rules to create alerts when a matching event occurs. An alert contains almost the same information as the related event and also includes additional information specific to the alert, such as owner, state, and priority.

NOTE:If you are using Change Guardian in a mixed environment with Sentinel, the alert rules you create in Change Guardian are available as correlation rules in the Sentinel web console. For best results in a mixed environment, use Sentinel to manage these rules.

Policy Editor allows you to create, delete, edit, redeploy, and view alerts.

To create an alert rule:

  1. Log in to Policy Editor.

  2. To open Alert Rules window, click Settings > Alert Rules.

  3. Select an alert view:

    • All alert rules

    • Alert rules grouped according to the associated event destination

  4. Specify the following details:

    • The alert rule name of your choice.

      The alert rule name supports only alphanumeric characters and underscores. Special characters, such as -!`~#$%^&()+=[],;. and space, are not supported

    • The policy or policies that you want to be alerted on.

      If you do not specify one or more policies, the alert rule is applicable for all policies.

    • The option to create an alert with a filter for a specific pattern.

      For example to select every policy name with DNS in the title, the alert rule creates alerts for all policies that contain DNS in the policy name, such as DNS Configuration.

    • Whether you want to be alerted on severity and severity range.

    • The event name or event names that you want to be alerted on.

      You can optionally add additional granularity by adding event name as filter criteria when you create any alert rule.

      Following are a few categories for event names:

      • Active Directory

      • Configuration

      • File Systems

      • Group

      • Group Policy

      • Processes

      • User Accounts

      • Windows Specifics

    • The event field or event fields that you want to be alerted on.

    • Whether you want to be alerted on managed or unmanaged users.

    • Whether you want to be alerted on event outcome.

    • Whether you want to be alerted on IP address and its subnet.

    • Alert criteria that further define the specific circumstances under which the alert rule creates an alert for the specified policies:

      • Generate an alert when an event occurs a specified number of times in a specified time frame.

      • Group alerts according to the specified event attributes.

    • The event destinations to which you want to deploy the alert rule. By default, all available event destinations are selected.

NOTE:When you create an alert rule, Change Guardian uses the user account logged into Policy Editor. You can also associate a different user account with an additional event destination. Both of these user accounts must have Manage all alerts and Manage Correlation Engines/Rules permissions.

8.3.2 Redeploying Alert Rules

When you create an alert rule and save, Change Guardian automatically deploys the alert rule to the event destination you specify.

If you make changes to the alert rule, such as modifying its alert criteria or adding information to the knowledge base and save, the alert rule is also redeployed automatically, to the given event destination. You can also redeploy the alert rule manually. Redeploying an alert rule ensures the event destination has the most recent version of the alert rule. For more information about the alert knowledge base, see the “Viewing and Triaging Alerts in Alert Views” in the Change Guardian User Guide.

8.3.3 Configuring Event Destinations to Generate Alerts

To ensure alert rules on the alternate event destinations generate alerts when the default event destination is FIPS-enabled, you must replicate the certificates from the alternate event destination to the default event destination.

To ensure all event destinations receive alerts:

  1. Download the certificates from the following location, and place them in a temporary location, such as /tmp:

    file: /etc/opt/novell/sentinel/config/sentinel.cer

  2. Change the credentials as follows:

    • # chown novell:novell /path to certificate

    • # chmod 644 /path to certificate

  3. At the command prompt and go to /opt/novell/sentinel/bin.

  4. Run the following command for all alternate event destinations:

    ./convert_to_fips.sh -i /path to certificate

  5. Restart the default event destination server.