Alert definition example: excessive number of servers used by user. top software service identified

In this example, we want to raise the alert if we detect malicious software trying to spread over the network.

For detecting users affected by malicious software trying to spread over the network, the best choice is the Excessive number of servers used by user. Top software service identified alert, which was designed specifically for this purpose.

Open the Alert management screen.

On the Alerts tab, click Predefined.

The predefined alerts are listed. In this example, we configure a predefined alert to suit our purposes. Details concerning the selected alert are shown under the list.

In the Filter box above the list, type excessive to filter the list on that word.

You want to find the Excessive number of servers used by user. Top software service identified alert.

Click the Excessive number of servers used by user. Top software service identified alert to select it.

That line will be highlighted in the list and the details concerning that alert will be displayed under the list.

In the alert details and devices section (under the list), in the Actions column, select Actions  ► Edit alert for the device to which you want to apply this alert.

When more than one CAS is listed, be sure to select the row for the CAS to which you intend to apply the alert.

When you select Edit alert, the alert wizard will open for the selected alert and device.

Specify basic settings

On the Specify Basic Settings page of the wizard, click Next to skip to the next screen.

In this example, there is no need to change the information on this tab. It is possible to edit the description and name, but this is generally not recommended, because you change the threshold values and other parameters, not the underlying predefined alert mechanism.

Define triggering and propagation conditions

On the Detection Settings tab, set the values that will trigger the alert.

  • Set the Multiplier of the normal number of servers parameter to 5, indicating that the alert will be raised if the user attempts to connect to five times more servers.

The baseline (normal) value, multiplied by the specified ratio, constitutes the upper limit of acceptable number of servers that are fully monitored, that is, servers for which all statistical information can be obtained from the monitored traffic.

  • Set the Lower limit of the unacceptable number of servers parameter to 20, indicating that anything below 20 servers will not be considered a problem. This threshold also applies to servers for which all statistical information can be obtained from the monitored traffic (fully monitored servers).

For the alert to be raised, both this threshold and the baseline threshold need to exceeded at the same time.

  • Set the Alternative lower limit of the unacceptable number of servers parameter to 100, indicating that an alert will be raised if a user attempts to connect to more than 100 servers. This threshold applies to the total number of servers, both fully monitored and those for which only some basic statistics can be obtained from the traffic. It is used only if the thresholds defined by the two other detector parameters are not exceeded.

Click the Propagation settings tab to specify how the alert will be propagated.

Click Next.

The Configure Alert Notifications screen of the alert definition wizard is displayed.

Configure alert notifications

On the Configure Alert Notifications page of the wizard, click Next to skip to the next tab.

In this example, there is no specific example changes on this tab. Normally, however, you would use the three tabs (Users, Trap Recipients, and Compuware Open Servers) to specify where and how to send out alerts. If you specify nothing here, the alerts will be written only to the alert log.

Click Next.

The Review Summary screen of the alert definition wizard is displayed.

Review summary

On the Review Summary page of the wizard, verify your alert settings before you apply them to the report servers.

If you need to change anything, click Previous to go back to the appropriate page of the wizard.

Click Apply.

On the pop-up window you can select the option to save your changes as a draft, if you intend to make more changes now, or to immediately publish the changes if you want to make your changes live now.