The alerting engine for flow metrics coming from sensor capture acts on metrics filtered either by a child zone or an application. The metric to alert on is then selected by "layer" Currently there are 25 application layers supported in the capture data alerting
Layers supporting alerts
arp
bootp
citrix
citrix_channels
databases
dce_rpc
dns
email
ftp
http
icmp
ipsec
kerberos
ldap
non-ip
other-ip
rdp
smb
socks5
ssh
tcp
tls
udp
vnc
voip
These 8 layers do currently not support any alerting policies
cifs
flows
sql
transport
dce_rpc
dhcp
http2
ntlm
Care should be taken to only create alerts on metrics that are supported in the respective application layer, the user interface and APIs currently does not limit all selection based on what is supported in the alerting engine, but instead expose all fields in the PVQL database for each application. An upcoming patch release of Skylight analytics will filter in the user interface so that unsupported policy conditions are prevented from being applied.
Metrics not supported for alert policies
Below is the list of unsupported metrics for alert policies within each application layer
Common unsupported alerting metrics for all layers
metric
comment
application.category.id
ID fields are generally not supported for alerts
application.category.name
Name fields are generally not supported for alerts
"BOOTP" layer unsupported metrics for alerts
metric
comment
client.ip
dest.ip
gateway.ip
ignored_server.ip
ip.family
nameserver1.ip
nameserver2.ip
next_server.ip
ntp.ip
requested_ip
router.ip
server.ip
source.ip
subnet.ip
uuid
"Citrix Channels" and "Citrix" layers unsupported metrics for alerts
This website stores cookies on your computer. These cookies are used to improve our website and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Cookies Policy. You accept the use of cookies by clicking a link or button or by continuing to browse otherwise.