Alert usage example in an enterprise environment

In this example, the CAS is monitoring an enterprise wide area network with thousands of users grouped in hundreds of remote locations connected by a private network to single data center where applications are hosted on dozens of servers.

Gathering requirements from observations

The following requirements for alerts were defined:

  1. Detect low-performance network locations.

  2. Detect malicious software trying to spread over the network.

  3. Detect new active IP addresses that accept connections in the data center.

These requirements were derived from the following observations:

  1. Some locations are connected with private leased lines and some use VPN connections over the Internet. In both cases it is essential to detect situations in which network performance starts affecting user experience.

  2. When a workstation or desktop is infected with certain malicious software, it may start to contact many machines trying to spread the malicious software over the network. We need to detect client IP addresses that suddenly increase the number of network connections or connection attempts, and detect the application and port it is trying to use.

  3. No new machines should be installed in or connected to the data center without prior authorization. If we detect a new IP address accepting connections, we should raise an alert.