Alerts Operations

The Alerts tab enables you to automatically send an e-mail message whenever one or more Active Protection thresholds are reached. Alerts are a type of early warning system that let you know when something out of the ordinary occurs, enabling you to stave off a possible problem. The information provided within an alert message is enough to give you a good idea about what is happening, but you should always return to the console and use the Threat Events View to get complete details.

Requirements

Implementing Alerts

To use the Active Protection alert feature you simply:

 

Enable alerts

 

If you want to use the Active Protection alert feature, enable this check box. Enabling this check box enables the related options on this tab.

Infected machine count

Defines how many different agent machines must report Active Protection threats to the console in order to trigger an alert. If this number is met or exceeded within the specified time period, an alert will be sent to the specified recipients. This can be an indication of an organization-wide attack on your network.

Only Active Protection threats are counted. Informational messages such as the starting or stopping of Active Protection are ignored.

To view the Active Protection threats that have been reported to the console, use the Threat Events View.

Distinct threat count

Defines how many different threats detected by Active Protection must be reported to the console in order to trigger an alert. If this number is met or exceeded within the specified time period, an alert will be sent to the specified recipients.

Only Active Protection threats that are quarantined or deleted are counted against the threshold value. Informational messages such as the starting or stopping of Active Protection are ignored.

To view the Active Protection threats that have been reported to the console, use the Threat Events View.

Infection time window

This represents a sliding window of time. In order to trigger an alert, the threat count must meet or exceed one of the two alert thresholds, and it must do so within the specified period of time. This means that when the threats are received is just as important as the number of threats that are received. The reasoning is as follows: If X threats are detected over a long period of time it probably represents normal network activity, but if X threats are detected in a very short amount of time it may indicate that your network is under attack.

If an alert is issued, the count and time window options are both reset to zero.

Daily summary

Specifies whether you want to receive a daily summary that shows the alerts that have been issued in the previous 24 hours. You can also specify the time of day you want to receive the summary.

Select alert recipients

Lists the contacts you want to receive the alerts. The contacts listed are those contained in the address book. You can add new contacts or edit contact information by clicking the New Contact and Edit buttons, respectively.