Create or Modify Alert Panel

The Create or Modify alert panel is a panel in the Alert List view. This panel allows you to create or modify an alert as per the requirement.

Workflow

netwitness_alert_view_workflow_latest.png

What do you want to do?

Role I want to... Documentation

Administrator/ Analyst

Configure Reporting Engine

Configure Reporting Engine

Administrator/ Analyst

Configure an alert*

Configure an Alert

Administrator/ Analyst

Schedule an alert Schedule an Alert

Administrator/ Analyst

View an alert

View an Alert

Administrator/ Analyst Investigate an alert Investigate an Alert
Administrator/ Analyst Manage an alert and alert template Manage an Alert and Alert Template

*You can complete these tasks here.

Related Topics

Alerting Overview

Quick View

The following figure is an example with the important features labeled.

125_Reporting_Decoders1_0524.png

125_Reporting_Decoders_0524.png

1 Click Alerts to open the Alert view.
2

Click netwitness_add.png to navigate to the Create or Modify Alert panel.

3 Enable the alert, navigate the rule, and select a data source to alert.
4 Enter a brief description of an alert.
5 Define the alert notification methods(RECORD, SMTP, SNMP, Syslog) to alert, when an alert condition is matched.

Note: The 'Push to decoders' option has been removed from NetWitness 12.5. The existing App Rules will remain unchanged. To enable the new App Rules, you can add them manually from Decoder > Config > App Rules (+) through Services in the legacy view. Also, you can deploy App Rules from the CCM page to these decoders if CCM is enabled.

The Create or Modify Alert panel has the following sections:

  • Alert Definition
  • Alert Description
  • Alert Notification

Alert Definition

The following table describes the fields in the Alert Definition:

Field Description
Enable
  • Enable activates the alert. The alert executes and sends output actions every minute (by default) when the alert conditions are met.
  • Disable deactivates the alert. The alert does not execute and does not send any output actions.
Rule Basis

Click Browse to display the Rules Library panel from which you select the rule that is the basis of this alert.

You must select a rule that has a unique 'where' clause for an alert.

Data Sources

Specifies the data source for the alert.

Push to decoders

Pushes the ‘where’ clause of the alert rule to Decoders connected to the selected NWDB data source.

This is the recommended option used to create RE alerts, as the alert conditions are checked on the Decoder itself and the alert queries will be comparatively faster in NWDB.

If you deselect this option, the alert rule ‘where’ clause will be queried against the selected NWDB data source. Based on the complexity and metas in the ‘where’ clause of the rule, the alert queries might take more time to process in NWDB.

Note: NetWitness does not send rules to the Decoder automatically.

Alert Description

The following table describes the fields in the Alert Description:

Field Description
Description

Describes the alert.

Create Creates the alert. (This option is displayed when you create an alert.)
Save Saves the changes made to the alert. (This option is displayed when you modify an alert.)

Alert Notification

The Alert Notification allows you to define the notification action NetWitness takes when an alert is generated, for example, recording or sending the alert using one of the defined output actions. The output actions are Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), or Syslog message.

The Notification contains the default Record tab, which you use to create an alert. The icon beside the Record tab allows you to select the notification type from the drop-down list for the output to specify for the alert: SMTP, SNMP, or Syslog.

Depending on the selected notification type, the Notification section is populated with predefined text that contains variables that add Meta that is appropriate for the alert. In the Reporting Engine, these variables are replaced with actual values. The following table lists the variables and their descriptions.

Variable Description
${meta.<metakey>}

The meta key value.

Note: If the <metakey> did not fetch any value, an empty string("") is printed.
By default, Reporting Engine displays all the repeated values for a meta key. If you do not want the meta values to repeat in the Alert output, enable the "removeRepeatedMetaValue" option by navigating to Configuration > Alert Configuration available for the Reporting Engine in the Services - Configuration > Explore view.
For example, in an HTTP Session the value for the action is displayed as get, get, put, put, post, get. When this option is enabled, the value is displayed as get, put, post.

${meta.time} / ${meta.time:<time_format>}

${meta.time} - The session time is printed in "yyyy-MMM-dd HH:mm:ss" format.

${meta.time:<time_format>} - The session time is printed in the user-defined custom time format. For example, ${meta.time:dd-MM-yyyy HH:mm:ss}.

For more information on the supported time formats, see http://docs.oracle.com/javase/7/docs/api/java/text/SimpleDateFormat.html

Note: If the time format provided by the user is invalid, the default time format will be used. The default time format is "yyyy-MMM-dd HH:mm:ss".

${name} The alert name defined in Reporting Engine.
${count} The number of times an alert is detected in a given time frame. (By default, it is one minute)
${nw.host} The NetWitness host name as configured in Reporting Engine.
${device.id} The NetWitness device ID of the data source.

The Alert Notification view has four tabs:

Record Tab

Use the Record tab to define the frequency for recording an alert and the message to generate when an alert is generated.

netwitness_alert_record_pane.png

The following table lists the fields in the Record tab and their description.

Field Description
Execute

The frequency for recording an alert.

  • Once - Record the alert only once based on the alert interval no matter how often the alert is generated. NetWitness records the number of times the alert has actually generated during that interval in the log file so that analysts know how many times the alert registered a match over a given day.
  • Each Event - Record the alert each time as it generates. If an alert generates unlimited number of times during a day, that alert is often treated as noise and can be ignored, except in case of alerts that require continuous monitoring such as network configuration changes and DDOS attacks.

Note: Select Each Event setting from the Execute drop-down list for SNMP and Syslog output actions.

Body The body of the message.
Body Template (Optional) If templates have been defined, select a template for the alert message.

SMTP Tab

The SMTP tab allows you to define the SMTP (email) output for this alert.

netwitness_alert_smtp_pane.png

The following table lists the fields in the SMTP tab and their description.

Field Description
Execute

The frequency to send an email message for the alert.

  • Once - Sends only one email for an interval, if an alert generates in that interval, irrespective of how many alerts generated.
  • Each Event - Send an email with the alert for every event in which the rule criteria are met.
To The email addresses to which to send this alert.
Subject The subject of the email message.
Body The body of the message.
Body Template

(Optional) If templates have been defined, select a template for the SMTP message that you can use as is or modify.

SNMP Tab

The SNMP tab allows you to define the SNMP output for the alert.

netwitness_alert_snmp_pane.png
The following table lists the various fields in the SNMP tab and their description.

Field Description
Execute

The frequency to send an SNMP output for an alert.

  • Once - Sends an SNMP message along with an email for an interval, if an alert generates in that interval, irrespective of how many alerts generated.
  • Each Event - Sends an SNMP message with the alert for every event in which the rule criteria are met.
Body The body of the message.
Body Template (Optional) If templates have been defined, select a template for the SNMP message to use as is or modify.

Syslog Tab

The Syslog tab allows you to define the Syslog message output for this alert.

netwitness_alert_syslog_pane.png

Click netwitness_add.png to add Syslog configuration to an alert. The New Syslog Configuration dialog box is displayed:

netwitness_new_syslog_config.png
The following table describes the fields in the New Syslog Configuration dialog:

Field Description
Syslog Configs

The Syslog configuration of the Device Config view located at the Syslog Configuration panel.

Execute

The number of times that you want to send a Syslog output for the alert.

  • Once - Sends a Syslog output along with an email for an interval, an alert generates in that interval, irrespective of how many alerts generated.
  • Each Event - Sends a Syslog output with the alert for every event in which the rule criteria are met.
Facility

The type of program logging the message. Examples for the type of programs are Syslog, Daemon, Mail, and Kernel.

Severity

The severity level of the alert that generated.

  • Emergency
  • Alert
  • Critical
  • Error
  • Warning
  • Notice
  • Informational
  • Debug
Body The body of the message.
Body Template (Optional) If templates have been defined, select a template for the Syslog message to use as is or modify.