Introduction to issued alerts
The Issued Alerts page is used for viewing information on the alerts sent by the Security Analytics Engine. If multiple, identical alerts for the same risk policy occur within a 5-minute period, the Security Analytics Engine only displays (and sends) a single alert.
|
|
IMPORTANT: In order to receive email alerts, SMTP must be set up for the Security Analytics Engine site via IIS. If nothing has been configured, the Security Analytics Engine attempts to connect to any local SMTP server on the standard SMTP port. If the Security Analytics Engine fails to connect, alerts will not be sent. |
|
|
NOTE: Issued alerts follow the same retention settings as audit events. |
Issued Alerts page
The Issued Alerts page is displayed when Issued Alerts is clicked on the Reports page or in the left pane (the page link is available after using the expand properties button to the left of Reports). The Issued Alerts page displays a list of the alerts sent by the Security Analytics Engine. These results are filtered using the options located at the top of the page.
Filtering options on the Issued Alerts page
The following are the filtering options at the top of the page:
|
|
NOTE: Refreshing the screen returns the Issued Alerts page to its default settings. |
|
|
NOTE: Issued alerts follow the same retention settings as audit events. |
From
This field specifies the date to start searching for alerts. By default, this is the current date. Click anywhere in the field to display a calendar from which to select a date to start searching for alerts. You can also manually edit the date in the field (mm/dd/yyyy).
To
This field specifies a date to stop searching for alerts. By default, this is the current date. Click anywhere in the field to display a calendar from which to select a date to stop searching for alerts. You can also manually edit the date in the field (mm/dd/yyyy).
Application(s)
This drop-down list displays the currently configured applications. Select to display issued alert information for all applications or a specific application. By default, issued alerts for all applications are displayed.
Max Records
This field is used for setting the maximum number of records (1 to 10000) to return for the search. By default, this is 1000 records.
Search
The Search button updates the Issued Alerts table located beneath the filtering options.
For more information on using these filtering options, see To filter issued alerts. For information on filtering individual columns, see To filter data.
Issued Alerts table
The following information is displayed for each alert in the Issued Alerts table. By default, the issued alerts for the current date are displayed.
Date/Time
This column displays the date and time the alert was issued.
Application
This column displays the name of the application.
Resource
This column displays the name of the requested resource. It appears blank when an attribute specifying the resource is not returned by the application.
Message
This column displays the message associated with the issued alerts. It includes the email address to which the alert was sent and the score which caused the alert to be sent.
|
|
NOTE: The scores shown for issued alerts are based on the configuration of the policy sending the alert. This means that the scores will not always be the same as the risk score from the evaluation of the access attempt. |
Policy
This column displays the risk policy that was evaluated.
User Name
This column displays the name of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.
Recipient
This column displays the email address to which the alert was sent.
Status
This column displays the status of the alert.