Article Number
000034750
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Health and Wellness
RSA Version/Condition: 10.6.2
RSA Product/Service Type: Health and Wellness
RSA Version/Condition: 10.6.2
Issue
Here are two examples where you may need to modify your out-of-the-box policies when getting false alarms:
1.
Health and Wellness sends an alert based on the Broker if the session rate is > 30 minutes then an alarm will be sent:
Image description
But, the Broker may aggregate from a device in this environment in bursts of about every 30 minutes. This is too close to the time when a false alarm would trigger an alert.
2.
Health and Wellness sends an alert if the SD Cards are Unknown.
Image description
The alarm in this environment will send because the SD Cards are neither ok or not readable (SD Cards are not enabled) but unknown.
1.
Health and Wellness sends an alert based on the Broker if the session rate is > 30 minutes then an alarm will be sent:
Image descriptionBut, the Broker may aggregate from a device in this environment in bursts of about every 30 minutes. This is too close to the time when a false alarm would trigger an alert.
2.
Health and Wellness sends an alert if the SD Cards are Unknown.
Image descriptionThe alarm in this environment will send because the SD Cards are neither ok or not readable (SD Cards are not enabled) but unknown.
Resolution
1. Click the Copy buttom to copy the out-of-the-box policy:
Image description
2. Disable the out-of-the-box policy by deselecting the enable checkbox of the out-of-the-box policy and click the Save button in the top right corner.
3. For the copied policy, click the "Enable" checkbox and click the Save button.
Image description
Now, you can modify the policy while maintaining a copy of the original out-of-the-box policies if they need to be reverted.
In the first example we could adjust the alarm threshold from 30 minutes to 60 minutes (or to whatever the range of time between an aggregation would likely occur on the broker).
In the second example we would disable the host SD Card failure policy because the device is upgraded to 10.6.2 where SD cards are reported as unknown. You can use the ipmitool (https://community.rsa.com/docs/DOC-39435) to confirm the status of your SD Cards until you are able to backup SA and other appliances, build stick to 10.6, and upgrade to the version that was backed up and restore.
Image description2. Disable the out-of-the-box policy by deselecting the enable checkbox of the out-of-the-box policy and click the Save button in the top right corner.
3. For the copied policy, click the "Enable" checkbox and click the Save button.
Image descriptionNow, you can modify the policy while maintaining a copy of the original out-of-the-box policies if they need to be reverted.
In the first example we could adjust the alarm threshold from 30 minutes to 60 minutes (or to whatever the range of time between an aggregation would likely occur on the broker).
In the second example we would disable the host SD Card failure policy because the device is upgraded to 10.6.2 where SD cards are reported as unknown. You can use the ipmitool (https://community.rsa.com/docs/DOC-39435) to confirm the status of your SD Cards until you are able to backup SA and other appliances, build stick to 10.6, and upgrade to the version that was backed up and restore.
In this article
