When I look at the default Suspicious Threat Detected alert in ICDm, I'm someone that wants to get an alert every time a threat is detected, so I set it to the first of the three radio buttons for Threshold, as:
"At least
1 events occur on a single
Device, in
60 Seconds. "
(the items underlined are the variables).
Does this 60 seconds mean that if two detections occur on one machine inside 60 seconds, I'd get only one alert? I set the rate limit of notifications to the maximum of 24 in the section below that, and I set the Seconds to 1, just figured I want to most alerting I can. Is my thinking correct?
The other thing is: I feel like these default alerts might be missing something, though I don't know what. My overall goal is to get an alert every time any kind of malware, intrusion/web attack, download Insight, SONAR, etc. picks up anything considered "bad". I just find with these default alerts, most of them are about LU, licensing, etc, and very few are threat oriented. I'm wondering if anyone has a single "killer alert" config to share?
Side note: as product feedback here: the default threshold for malware/threat alerting seems to be set at 10 events. As a result of that, I've had a few small business clients get a malware detection, but I never got alerts, because it wasn't as many as 10 times.
My guess is this was designed by the product team to prevent alert fatigue out of the gate with with enterprise clients but I think the right call is not to limit by default, bu let the admin make that choice. Anyone unaware of this 10 event default will get burned initially. I just assumed the alerts would let me know every time something is found, but right now I've missed about 3 malware alerts for clients and I'm just lucky the Default Daily Report showed me what happened the day before.
Thanks!