Security Analytics 10.6 has a new beta feature that will allow SA to monitor your event sources collection and alarm or notify you when an event source falls below or exceeds a rate that is normal for that event source. The goal is to take away the need to manually determine which event sources have similar rates, group those event sources, and create monitoring policies to match, significantly reducing the burden on system administrators. It is enabled by default to alarm but not send notifications.
It takes about 5 days to build the baseline and will then start generating alarms whenever a device deviates from that baseline. In the case in the screenshot below, this cisco router normally generates 333 events during 6:00 PM to 7:00 PM but we haven't received any events, which is 2.657 standard deviations below the normal. The alarm shows up on the Administration -> Event Sources -> Alarms page.
You can enable email, syslog, or SNMP notifications once you determine the alarms aren't giving you false positives. You can also tweak the Low and High standard deviations settings in order to tune it better to your environment. Raising the standard deviations will make it less likely for an alarm to be generated.
Let us know what you think and how it works for you!
More information can be found on RSA Security Analytics Documentation under Security Analytics 10.6 > Event Source Management > Procedures > Configure Automatic Alerting
