McAfee EPOCDE-AA-BA Product Guide - Page 213
Throttling, aggregation, and grouping, Default rules, Grouping
View all McAfee EPOCDE-AA-BA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 213 highlights
Responding to events in your network Automatic Responses and how it works 18 This design allows you to configure independent rules at different levels of the System Tree. These rules can have different: • Thresholds for sending a notification message. For example, an administrator of a particular group wants to be notified if viruses are detected on 100 systems within 10 minutes on the group, but a global administrator does not want to be notified unless viruses are detected on 1,000 systems within the entire environment in the same amount of time. • Recipients for the notification message. For example, an administrator for a particular group wants to be notified only if a specified number of virus detection events occur within the group. Or, a global administrator wants each group administrator to be notified if a specified number of virus detection events occur within the entire System Tree. Server events are not filtered by System Tree location. Throttling, aggregation, and grouping You can configure when notification messages are sent by setting thresholds based on Aggregation, Throttling, or Grouping. Aggregation Use aggregation to determine the thresholds of events when the rule sends a notification message. For example, configure the same rule to send a notification message when the server receives 1,000 virus detection events from different systems within an hour or whenever it has received 100 virus detection events from any system. Throttling Once you have configured the rule to notify you of a possible outbreak, use throttling to ensure that you do not receive too many notification messages. If you are administering a large network, you might be receiving tens of thousands of events during an hour, creating thousands of notification messages based on such a rule. Responses allows you to throttle the number of notification messages you receive based on a single rule. For example, you can specify in this same rule that you don't want to receive more than one notification message in an hour. Grouping Use grouping to combine multiple aggregated events. For example, events with the same severity can be combined into a single group. Grouping allows an administrator to take actions on all the events with the same and higher severity at once. It also allows you to prioritize the events generated at managed systems or at servers. Default rules ePolicy Orchestrator provides four default rules that you can enable for immediate use while you learn more about the feature. Before enabling any of the default rules: • Specify the email server (click Menu | Configuration | Server Settings) from which the notification messages are sent. • Ensure the recipient email address is the one you want to receive email messages. This address is configured on the Actions page of the wizard. McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide 213