Creating Alerts

Introduction

Alerts provide network managers with near-real-time messages about anomalous network activity. Such activity could consist of:

Irregular authentication activity

Irregular network device access activity

Users attempting privileged commands on network devices

Irregular activity on the Policy Manager servers

Reports and alerts include templates for easy configuration. These templates allow you to quickly configure and monitor network activity. In addition to email notifications, you can also send alerts to mobile devices via SMS Short Message Service. SMS refers to short text messages (up to 140 characters) sent and received through mobile phones., providing the capability to receive mission-critical information on the go.

 

Any Error-level System Event/Event Viewer entries in Policy Manager servers are notified with a System Alert Notification.

Creating New Alerts

To create a new alert:

1. Navigate to the Alerts page.

2. Click Configuration.

The Alerts Configuration page opens.

Figure 1  Alerts Configuration Page

Enable button: From the switch, you can enable or disable the selected alert.

Mute button: Allows you to mute alert output while you work to address the alert.

3. Click Create New Alert.

Figure 2  Creating a New Alert

4. Enter the information for each Create New Alert parameter as described in Table 1, then click Save.

Table 1: Create New Alert Parameters

Alert Field

Action/Description

Alert Name

Enter the name of the alert.

Description

Optionally, enter a summary description of the alert.

Category

Select the alert Category, then specify the desired alert type in the selected category:

Authentication

Failed Authentication

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Failed Authentication

Total Authentication

WEBAUTH Authentication

System

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. 

TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. + Commands

TACACS+ Failures

Notifications

Specify report notifications:

Notify by Email. When you select this option, enter the list of email addresses to be notified. The alert notification is sent whenever the trigger threshold is met.

NOTE: Enabling Notify by Email is mandatory.

Notify by SMS. When you select this option, enter the phone numbers of each recipient. The alert notification is sent whenever the trigger threshold is met.

NOTE: If you have not configured the SMTP Simple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission. mail server for email notifications, you will be unable to configure Alert Notifications.
For the procedure, see Messaging Setup.

Filter

To configure an Alert filter:

1. From the Filter drop-down, select the type of filter; for example, Access Point or ClearPass Server.

2. Specify the operator:

Equals

Not_Equals

Starts_With

Contains

Not_Contains

3. Enter the value.

To create another filter, click the Add Another link.

To remove a filter, click the trashcan logo.

Trigger Severity

From the Trigger Severity drop-down, select one of the following:

Critical

Warning

Trigger Threshold

Specify Threshold and Interval values as criteria for determining whether an alert is necessary.

For example, if you specify the threshold as 25 and the interval as 15 minutes, once the threshold of 25 is met within 15 minutes, an alert is triggered.

Trigger Interval

Specify the Interval, then select Minutes or Hours.

Alert Summary

When you have configured the alert settings, the Alert Summary displays the settings for your review.

Modifying the User Watchlist

A Watchlist is a list of VIPs, executives, and devices known to be problematic that are monitored for authentication failures. Policy Manager collects all user authentication status. When Policy Manager finds a user defined in the Watchlist that both fails to authenticate and also matches the Watchlist triggers (severity, threshold, and interval), an alert notification is sent to the notification list via email or to mobile devices via SMS. This allows the authentication failure to be resolved proactively before the problem is reported by the user. sThe Watchlist generates an alert only when an unsuccessful authentication for a specific device occurs.

Default Watchlist Trigger Settings

The default Watchlist trigger settings are as follows:

Severity = Critical

Threshold = 1

Interval = 30 seconds

 

You cannot edit the The Watchlist trigger settings.

To modify the User Watchlist:

1. From the Insight navigation panel, choose Alerts, then select Configuration.

The Alerts Configuration is displayed, which shows the default User Watchlist (see Figure 3).

Figure 3  User Watchlist

The users who are currently on the Watchlist are displayed. By default, the Watchlist includes the Authentication Trend report widget.

2. Click Watchlist, then click Modify Watchlist.

The Edit Alert page for the User Watchlist opens.

Figure 4  Modifying the User Watchlist

3. Enter the desired settings for each User Watchlist parameter as described in Table 2, then click Save.

Table 2: Modify User Watchlist Parameters

Alert Field

Action/Description

Alert Name

Optionally, you can modify the name of the User Watchlist.

Description

Optionally (and recommended), enter a summary description of the User Watchlist.

Category

The Category is set to Alert > User Watchlist. This is not an editable field.

Notifications

Specify Watchlist notifications.

Notify by Email. When you select this option, enter the list of email addresses to be notified. The alert notification is sent whenever the threshold is met.

Notify by SMS. When you select this option, enter the phone numbers of each recipient. An SMS message is sent with an alert notification whenever threshold is met.

NOTE: A warning message appears if you have not configured the SMTP mail server for email notifications (for details, see Messaging Setup).

Filter: Username

The User Watchlist has only one filter: Username.

From the Username drop-down, select one or more users to add to the Watchlist.

Alert Summary

When you have configured the Watchlist settings, the Alert Summary displays the settings for your review.

Adding or Removing Users from the Watchlist

You can use the Insight Search function to add users to or remove users from the Watchlist.

Adding a User to the Watchlist

To add a user to the Watchlist:

1. In the Insight Search window, enter the name of the user.

The Insight User Information page for the selected user is displayed.

Figure 5  Insight User Information Page

2. To add a user to the Watchlist, click the star icon next to the username as shown in Figure 5.

The User Information page now displays the following information:

Figure 6  User Successfully Added to Watchlist

The star icon color is now set to orange, indicating the user has been added to the Watchlist.

The following message is displayed:

<User> added to User Watchlist successfully. Please configure SMS and email notifications.

Removing a User from the Watchlist

To remove a user from the Watchlist:

1. In the Insight Search window, enter the name of the user.

The Insight User Information page for the selected user opens.

Figure 7  Removing a User from the Watchlist

2. Click the orange star icon next to the username.

The user is removed from the Watchlist. The star icon is now white. You receive the following message:

<User> removed from User Watchlist successfully.