Create an alarm policy
Users with administrator access can create alarm policies to target and identify specific network activity.
- In Threat Monitor, navigate to Event Logs > Default.
- To group and view high-level facets of the current data set, click Analyze Results.
- In one of your facet groups, click the search icon
to expose the search criteria icons
.
- Identify the facet on which you would like to base your alert, and then click the Add to Search Criteria icon
.
- Copy the value from the search query field to paste into your new alarm policy.
- In Threat Monitor, navigate to Alarms > Alarm Policies, and then click New.
- Enter a name for your new alarm policy.
- From the drop-down list, select a category. Select an appropriate category so Threat Monitor can group the event accordingly in views, dashboards, and facet groupings.
- From the drop-down list, select a company to assign the alarm, and then click Save.
- To build your policy, click Add level 1 rule.
- Enter a name for your alarm policy rule.
- In the filters field, paste the search value you copied from the event logs.
- From the drop-down list, select an action (Do nothing, log alarm only, log alarm and generate email).
- Set your occurrence and time frame. This is the number of events that happen within a designated time before the alarm action triggers.
- Click Save.
Learn about creating multi-level rules here.