A sensor can be used alternatively to correlation rule (see this section) when the number of occurrences is high.
Sensors detect when a large number of events repeating in a time interval and alert the admin when a specific threshold exceeded. Sensor in the other hand is less flexible than a correlation rule.
- A mail server must be configured. Look this section to see how to configure a mail server.
- Pattern must belong to specific class.
Using the SGBox web interface: SGBOX > LCE > Sensors
Clink on New Sensor
On the left section,tab Events, find the interested events and drag it in correct section on the right.
The next step is configure the Action. Search it on Actions tab and drag it on the correct section. We choose Send Email.
It’s important also define a Timeout. Timeout is the maximum time ( in seconds ) between of the first and the last occurrence of the event. In the sensor you need also to specify the number of Occurrences.
You can assign the DISTINCT flag to a parameter in order to search the number of occurrences for that value.
In our case, the sensor send an alert when: 10 logon fail occur from the same TargetUserName within 300 seconds.
For the event it is possible specify this operators.
- CNT: Total number for the specified parameter.
- DISTINCT: Total number for each specified parameter.
Click on Save to finish the wizard.
Give a name, description, and click on Active flag to enable it.