Configure alerts

Enable or disable alert deduplication

Product Guardian
Syntax conf.user configure alerts deduplication enable [true|false]
Description

Enable or disable the alert deduplication capabilities. The feature is enabled by default.

Where CLI
To apply

It is applied automatically

Check the communication ports for alert deduplication

Product Guardian
Syntax conf.user configure alerts deduplication check_ports [true|false]
Description This option lets you choose whether or not the ports must be taken into account when deduplicating alerts. Setting the value to true (default), two alerts must have the same source and destination ports for them to be considered duplicate and be deduplicated into a single alert (more selective deduplication effect). Setting the value to false, the user obtains a potentially broader deduplication effect.
Where CLI
To apply It is applied automatically

Size of the buffer for alert deduplication

Product Guardian
Syntax conf.user configure alerts deduplication buffer_size <num>
Description

By default, 2000 different alerts with their corresponding counter are stored in memory and written to the DB at a regular interval. This number can be tweaked depending on the appliance memory limits and on the number of different alerts that need to be deduplicated in the environment. The default should be generous enough for all production environments.

Parameters num: Size of the deduplication buffer
Where CLI
To apply It is applied automatically

Update interval for alert deduplication

Product Guardian
Syntax conf.user configure alerts deduplication update_interval <num>
Description By default, the counter for every deduplicated alert is written to the database every 5 minutes (300 seconds). The deduplication counter of a single alert is also updated on the database when the maximum size of the duplication buffer is reached; the corresponding alert goes out of scope and is removed from the buffer, but the counter is updated to persist the information. Afterwards, if a similar new alert is raised, the counter for the previous alert will not be updated but the creation of a new alert will be triggered.
Parameters num: Update interval for the alert deduplication in seconds
Where CLI
To apply It is applied automatically

Disable alert deduplication for specific alert types

Product Guardian
Syntax conf.user configure alerts deduplication disabled_types <arr>
Description By default, alert deduplication is on for all alert types. However, the feature can be disabled for some alert types. For example: configure alerts deduplication disabled_types ["SIGN:MULTIPLE-UNSUCCESSFUL-LOGINS", "SIGN:MULTIPLE-ACCESS-DENIED"]
Parameters arr: Array of disabled alert types for the alert deduplication feature
Where CLI
To apply It is applied automatically

Configure maximum number of victims

Product Guardian
Syntax conf.user configure alerts max_victims <num>
Description Define the maximum number of victims that each alert can contain. Victims exceeding the given value are not stored. Default value is 10.
Parameters num: Maximum number of victims stored for each alert
Where CLI
To apply It is applied automatically

Configure maximum number of attackers

Product Guardian
Syntax conf.user configure alerts max_attackers <num>
Description Define the maximum number of attackers that each alert can contain. Attackers exceeding the given value are not stored. Default value is 10.
Parameters num: Maximum number of attackers stored for each alert
Where CLI
To apply It is applied automatically

Show/hide credentials

Product Guardian
Syntax conf.user configure alerts hide_username_on_alerts [true|false]
Syntax conf.user configure alerts hide_password_on_alerts [true|false]
Description This flags determine whether usernames or passwords should be presented in the alert. By default, the credentials are visible. Affected alert types: SIGN:MULTIPLE-ACCESS-DENIED, SIGN:MULTIPLE-UNSUCCESSFUL-LOGINS, SIGN:PASSWORD:WEAK.
Where CLI
To apply It is applied automatically

Configure maximum length of description

Product Guardian
Syntax conf.user configure alerts max_description_length <nchars>
Description

Define the maximum number of characters that can contain the description of each incident. When an incident is appendding an alert description, the append is performed only if the incident description length is smaller then the limit.

Parameters nchars: Maximum number of characters allowed in the description of each incident
Where CLI
To apply It is applied automatically

Configure MITRE ATT&CK mapping rules

Product Guardian
Syntax for MITRE ATT&CK for ICS mappings conf.user configure alerts mitre_attack ics_mapping <path>
Syntax for MITRE ATT&CK Enterprise mappings conf.user configure alerts mitre_attack enterprise_mapping <path>
Description Customize the rules used to assign MITRE ATT&CK techniques to alerts by means of an external file. The file has the following format. Each line defines a rule; the rule specifies an alert type ID followed by a semicolon and a comma-separated list of MITRE ATT&CK technique IDs. For instance, the line SIGN:PROGRAM:TRANSFER;T0843,T0853 instructs Guardian that alerts of type SIGN:PROGRAM:TRANSFER must be assigned both the T0843 and T0853 MITRE ATT&CK techniques.
Parameters path: The path to the file containing the rules
Where CLI
To apply It is applied automatically

Enable storing of alerts not visible under the current security profiles

Product Guardian
Syntax conf.user configure alerts save_invisible_alerts [true|false]
Description Alerts are not stored into the database, if they are not visible under the current security profile and they are not part of an incident. This command can change this behavior and allow the above alerts to be stored.
Where CLI
To apply

In a shell console execute: service n2osalert stop

Configure red assertions behavior

Product Guardian
Syntax conf.user configure assertion_element_monitoring [enabled|disabled]
Description By default, an assertion is boolean; it is either red or green, and upon turning red the assertion may send alerts. This configuration allows the assertions to actively monitor lists of elements (such as nodes, labels, etc.), and send new alerts for any additional elements that break the assertion, and when an alert is closed and the triggering asserted element is still present.

Disabled by default.

Where CLI
To apply It is applied automatically

Configure packet rules alerts limit

Product Guardian
Syntax conf.user configure packet_rules alerts_per_session [limit]
Description

Alerts risen by packet rules have a limit per alert class and per session This limit, which is 1 by default, can be relaxed or removed entirely. A value of -1 means unlimited. A value of 0 will completely disable these alerts.

Where CLI
To apply It is applied automatically

Configure how Threat Intelligence contents are handled

Product Guardian
Syntax conf.user configure alerts contents <json_value>
Description

This command configures how Threat Intelligence contents are to be loaded. The JSON object can have the following attributes:

  • load_contents - this can be true/false to enable/disable the loading of contents;
  • stix_backend_provider - selects the engine to be used for STIX indicators: 'memory' (indicators are stored in memory - default) or 'db' (indicators are stored in the system database). With 'db', the application memory requirements become lower, but STIXv1 (XML) indicators are not supported;
  • loaded_content_types - this is a JSON array of contents to be loaded.

Contents available are:

  • stix_indicators

As an example, the following command will disable completely contents loading:

conf.user configure alerts contents { "load_contents": false }

As a further example, the following command will allow only stix indicators rules to be loaded:

conf.user configure alerts contents { "loaded_content_types": [ "stix_indicators" ] }

As another example, the following command will configure the usage of the system database for storing STIX indicators related information, reducing the application memory footprint:

conf.user configure alerts contents { "stix_backend_provider": "db" }

Parameters json_value: A JSON object to configure how Threat Intelligence contents are loaded
Where CLI
To apply

In a shell console execute: service n2osalert stop