Correlation alerts in a Managed Environment
November 2015
In a managed environment, it is possible to control what correlation alerts run on what units.
Correlation alerts are the alerts associated with the Alert Builder and Anomaly Detection
functions.
Old behavior

Alerts are either active or inactive.

When active, they run everywhere by default.

Alerts could be disabled locally on each unit.

No enterprise-wide view of the alerts running.
New behavior on standalone units
Alerts can be disabled locally as before. The difference is that instead of going to the UI of each
and every unit you wish to disable locally, now you do this from one Guardium system, the
Central Manager. In the Central Manager you have a managed unit section in the Alert builder
that allows you to control which units will run the alert and which units will not.
Anomaly Detection Page shows enterprise-wide view of alerts.
See example:
1
Addition to Alert Builder
Alert Builder page has a new section for assigning alerts to units.
You specify either single units or groups of managed units to either include or exclude from an
alert. You also specify if the Central Manager itself is included or excluded.
This section appears only on the Central Manager.
2
Management Groups
Alert Builder opens up dialogs to select/create/edit groups
Groups are the same groups from the Central Manager page. They are not the same as general
groups in use elsewhere.
3
Additional dialogs
Additional dialogs create or edit the groups.
4
All active alerts
Anomaly Detection Page shows enterprise-wide view of alerts. The two unit assignment
columns appear only in managed environment.
You can also edit groups by clicking on them
5
Anomaly detection
The Anomaly Detection process runs every polling interval to create and save, but not send,
correlation alert notifications based on an alert's query.
This notification is run according to the schedule defined for each alert. See Alerter
Configuration for more information about sending notifications.
The Anomaly Detection process uses the results of a correlation alert's query, which looks back
over a specified period of time, and the correlation alert's threshold, to determine if a condition
has been satisfied (an excessive number of failed logins, for example). See Correlation Alerts for
more information.
Under Central Management, all correlation alerts are defined on the Central Manager, regardless
of which appliance they were created or updated. These correlation alerts are the same for all
appliances, and when activated, will be activated on all appliances by default. When you wish to
specify which units run the alert and which do not, you can specify this in the Alert builder of the
Central Manager.
Notes

The Alerter component must be configured and started to send a saved alert message to
SYSLOG, email, or a SNMP trap.

Anomaly Detection does not play a role in the production of real-time alerts, which are
produced by security policies.
Automatically activate Anomaly Detection on startup
1.
Click Setup > Anomaly Detection to open the Anomaly Detection panel.
2.
Mark the Active on Startup checkbox. Each time the appliance restarts, Anomaly
Detection will be activated automatically.
3.
Click Apply.
Set the frequency that Anomaly Detection checks for appliance issues
1.
Click Setup > Anomaly Detection to open the Anomaly Detection panel.
2.
Enter the Polling Interval, in minutes.
3.
Click Apply.
6
Enable or Disable Active Alerts
To disable an alert globally in a Central Manager environment, it will be easier to clear the
Active checkbox in the Modify Alert panel (see Correlation Alerts).
To enable or disable alerts on specific systems in a Central Manager environment, use the
managed units section of the Alert builder on the Central Manager.
Stop or Restart Anomaly Detection
1.
Click Administration Console > Anomaly Detection to open the Anomaly Detection
panel.
2.
Click Stop to stop Anomaly Detection, or click Restart to restart it.
=====
7