Re: Stealthwatch email alert dashboard alarm

J_Vansen_S · ‎07-12-2019

Stealthwatch 7.0

Hi All, how do i set email alert on alarm/trigger that is shown on the stealthwatch dashbboard.

Reason being that administrator does not login to stealthwatch 24/7 or monitor the dashboard realtime

Appreciate any advise

J_Vansen_S · ‎07-24-2019

no one else uses this feature on Stealthwatch?

reheindel · ‎08-06-2019

It was somewhat involved - but there was a couple of things a consulting engineer helped us with:

1. Classify the severity each of the Alarm Types for: Informational, Trivial, Minor, Major, or Critical

Java client: Configuration > Alarm Configuration

Example: High Traffic is severity MINOR, Worm Propagation is severity CRITICAL, etc...

(See Attachment: alarm-configuration)

2. Create Response Management Action Rules

Java Client: Configuration > Response Management

We defined three different action rules - one for CRITICAL alarms, one for MAJOR alarms, and one for all other severity

(In our case PRIORITY A EMAIL means CRITICAL, PRIORITY B EMAIL means MAJOR, PRIORITY C EMAIL C means everything else)

We created three separate action rules so we can turn off the action (email) depending on the severity - or send to a different recipient

(See Attachment: email-action-rules & email-action-priority-a-email)

3. Create Host Alarm Response Management Rule

Java Client: Configuration > Response Management

This is where you determine the severity of the alarm - and take action based upon the severity

We defined three different host alarm response rules - one for CRITICAL alarms, one for MAJOR alarms, and one for all other severity

(In our case PRIORITY ALARM: A means CRITICAL, PRIORITY ALARM: B means MAJOR, PRIORITY ALARM: C is everything else)

Again:

PRIORITY ALARM: A rules point to the PRIORITY A EMAIL action rule

PRIORITY ALARM: B rules point to the PRIORITY B EMAIL action rule

PRIORITY ALARM: C rules point to the PRIORITY C EMAIL action rule

In our case we only send emails for CRITICAL severity
(See Attachment: response-management)

The logic is a bit strange on host alarm rules - I have attached screenshots for each

See Attachments: priority-alarm-a, priority-alarm-b, priority-alarm-c)

Hope this helps!

Bob

J_Vansen_S · ‎08-12-2019

Thanks so much Reheindel, that was of great help!

Will try the email notification out

1st time deploying the stealthwatch and i have assumed most can be done on the GUI, why have the JAVA as a redundant feature to complement the GUI? just puzzled

reheindel · ‎08-13-2019

Glad to help!

We are fairly new to Stealthwatch as well - from what I understand the product was Java based from its inception with Lancope - but since the acquisition by Cisco an emphasis has been to make most - if not all the Java features available via the web gui.

Obviously the re-write is a massive effort - thus you will find things still only available in the Java client - but I understand that over time as new releases come out you will see the web gui receiving the same features as the java client.

I suspect that eventually the Java client will be removed from the product as dual development is not really sustainable.

Bob

dlucas · ‎08-26-2019

Where are the SMTP relay settings configured at?

dlucas · ‎08-26-2019

Where are the SMTP relay settings configured at?

brford · ‎08-05-2019

You want to take a a look at the Stealthwatch 'Response Management capability from the Java client. Response Management allows the admin user to configure how to parse data and share it from the Stealthwatch Management Console.

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.