Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Setting user alerts

You can use user alerts to track messages per user. To identify and track users, they must be defined on the Messages > Catalogs > Users tab.

The user alerts function can reduce the number of threads on the system by specifically targeting all users (or a group of matching users) with a single configuration alert and threshold that is applied across all matched users. Subsequently, if a message is received that matches the alert pattern, a separate instance of the alert is created to track that particular user. For example, you can set up a threshold of three invalid logins that is applied to each user independently, as opposed to all users or all messages.

This behavior is similar to the behavior of the alert devices function, except that alerts are applied to users instead of devices. Otherwise, the two screens operate almost identically.

To create a new user alert or edit an existing alert

  1. Navigate to Alerts > Users.
  2. Click AddNew or Edit, to create or modify the alert parameters described in the following table.

Parameter

Description

Pin This Alert To Top

Pins the alert to the top of the list

You can keep track of particular user alerts of interest. Each operator can pin items without affecting other operators.

Match User Name

Match pattern or wildcard (or macro) that can restrict the alert to a particular group of users (instead of all users)

For an alert instance to be created, the user name (as it appears on the Messages > Catalogs > Users screen) must match this pattern. By default, an asterisk (*) matches all managed users.

Match IP Addr / Group

IP address wildcard or address group to which the user alert applies

A message received from the specified address group (and that matches the Match Expression) causes a user alert instance to be created or updated.

Match Expression

Keyword (possibly complex) that matches the message that creates or updates the user alert

Any message received that matches the Match IP Address and Match User Name values and also this value causes a user alert instance to be created or updated.

Compare Function

Compare function to be used in the threshold test

You can only specify (GE) Greater Than Or Equal.

Threshold

Threshold for the comparison, an integer value

(SPE2201) The threshold must be in the range of 1 to 200 counts per interval (before SPE2201 the range of 1 to 50), where the interval is specified.

Test Interval

Interval for the test, in seconds

When the counter exceeds the threshold counts per time interval, an alert is generated. 

Example

When the compare function is GE, the threshold is 10, and the test interval is 60, then a user alert is generated when more than 10 messages occur per minute.

Alert Message / Ticket Text

Message that is sent back to the BMC Defender Server message stream, and that also serves as the text of the ticket (if assigned to an operator or ticket group)

The field includes a Suggest option that suggests an appropriate message based upon the system counter name, severity, compare function, and test interval.

Insert Variable

Variable to insert into the alert message

You can incorporate various types of information in the alert message, such as the source IP address, related message content, and device description.

Alert Facility

Syslog facility to be used when sending a message back to the message stream

The default value is Alert, but you can specify some other facility appropriate for the alert.

Alert Severity

Syslog severity to be used when sending a message back to the message stream; identifies the severity of any ticket assigned to a user

The value should indicate the severity of the alert condition, ranging from debug to emergency.

Assign Ticket To

User or ticket group to assign a ticket on the system containing the alert message

In addition to assigning a ticket to any BMC Defender Server user, you can assign tickets to ticket users defined in the Tickets > Config tab. When a ticket is opened, it can trigger specific actions, such as sending an email message.

User alert active instances

As with device alerts, each user alert can have multiple separate instances that are dynamically created when a message is received. These active instances persist until the alert is cleared, and then disappear. The Active Instances link lets you to drill down and view the currently active user instances.

When a message is first received that matches the alert pattern, a copy of the alert is automatically created and identified by the managed user name. Subsequently, as more messages are received for the user, the count-per-time interval is maintained.

If the count exceeds the threshold, the alert is set that causes a ticket to be opened on the system. No further tickets are created while that particular alert instance is set. When the alert is cleared, it is then eliminated from the system (permitting the process to start over again).

Related topic

Setting-device-alerts

Alerts-tab

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*