07-12-2019 12:16 AM - last edited on 08-20-2019 10:23 AM by dhuckaby
Stealthwatch 7.0
Hi All, how do i set email alert on alarm/trigger that is shown on the stealthwatch dashbboard.
Reason being that administrator does not login to stealthwatch 24/7 or monitor the dashboard realtime
Appreciate any advise
07-24-2019 11:12 PM
no one else uses this feature on Stealthwatch?
08-06-2019 12:31 PM - edited 08-06-2019 12:32 PM
It was somewhat involved - but there was a couple of things a consulting engineer helped us with:
1. Classify the severity each of the Alarm Types for: Informational, Trivial, Minor, Major, or Critical
Java client: Configuration > Alarm Configuration
Example: High Traffic is severity MINOR, Worm Propagation is severity CRITICAL, etc...
(See Attachment: alarm-configuration)
2. Create Response Management Action Rules
Java Client: Configuration > Response Management
We defined three different action rules - one for CRITICAL alarms, one for MAJOR alarms, and one for all other severity
(In our case PRIORITY A EMAIL means CRITICAL, PRIORITY B EMAIL means MAJOR, PRIORITY C EMAIL C means everything else)
We created three separate action rules so we can turn off the action (email) depending on the severity - or send to a different recipient
(See Attachment: email-action-rules & email-action-priority-a-email)
3. Create Host Alarm Response Management Rule
Java Client: Configuration > Response Management
This is where you determine the severity of the alarm - and take action based upon the severity
We defined three different host alarm response rules - one for CRITICAL alarms, one for MAJOR alarms, and one for all other severity
(In our case PRIORITY ALARM: A means CRITICAL, PRIORITY ALARM: B means MAJOR, PRIORITY ALARM: C is everything else)
Again:
PRIORITY ALARM: A rules point to the PRIORITY A EMAIL action rule
PRIORITY ALARM: B rules point to the PRIORITY B EMAIL action rule
PRIORITY ALARM: C rules point to the PRIORITY C EMAIL action rule
In our case we only send emails for CRITICAL severity
(See Attachment: response-management)
The logic is a bit strange on host alarm rules - I have attached screenshots for each
See Attachments: priority-alarm-a, priority-alarm-b, priority-alarm-c)
Hope this helps!
Bob
08-12-2019 11:52 PM - edited 08-12-2019 11:53 PM
Thanks so much Reheindel, that was of great help!
Will try the email notification out
1st time deploying the stealthwatch and i have assumed most can be done on the GUI, why have the JAVA as a redundant feature to complement the GUI? just puzzled
08-13-2019 07:03 AM
Glad to help!
We are fairly new to Stealthwatch as well - from what I understand the product was Java based from its inception with Lancope - but since the acquisition by Cisco an emphasis has been to make most - if not all the Java features available via the web gui.
Obviously the re-write is a massive effort - thus you will find things still only available in the Java client - but I understand that over time as new releases come out you will see the web gui receiving the same features as the java client.
I suspect that eventually the Java client will be removed from the product as dual development is not really sustainable.
Bob
08-26-2019 08:48 AM
08-26-2019 08:50 AM
Where are the SMTP relay settings configured at?
08-05-2019 12:06 PM
You want to take a a look at the Stealthwatch 'Response Management capability from the Java client. Response Management allows the admin user to configure how to parse data and share it from the Stealthwatch Management Console.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide