Alerts for capture sensor data
  • 09 Apr 2024
  • 2 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Alerts for capture sensor data

  • Dark
    Light
  • PDF

Article summary

Overview

The alerting engine for flow metrics coming from sensor capture acts on metrics filtered either by a child zone or an application. The metric to alert on is then selected by "layer"
Currently there are 25 application layers supported in the capture data alerting

Layers supporting alerts
  • arp
  • bootp
  • citrix
  • citrix_channels
  • databases
  • dce_rpc
  • dns
  • email
  • ftp
  • http
  • icmp
  • ipsec
  • kerberos
  • ldap
  • non-ip
  • other-ip
  • rdp
  • smb
  • socks5
  • ssh
  • tcp
  • tls
  • udp
  • vnc
  • voip
These 8 layers do currently not support any alerting policies
  • cifs
  • flows
  • sql
  • transport
  • dce_rpc
  • dhcp
  • http2
  • ntlm

Care should be taken to only create alerts on metrics that are supported in the respective application layer, the user interface and APIs currently does not limit all selection based on what is supported in the alerting engine, but instead expose all fields in the PVQL database for each application.
An upcoming patch release of Skylight analytics will filter in the user interface so that unsupported policy conditions are prevented from being applied.


Metrics not supported for alert policies

Below is the list of unsupported metrics for alert policies within each application layer

Common unsupported alerting metrics for all layers

metriccomment
application.category.idID fields are generally not supported for alerts
application.category.nameName fields are generally not supported for alerts

"BOOTP" layer unsupported metrics for alerts

metriccomment
client.ip
dest.ip
gateway.ip
ignored_server.ip
ip.family
nameserver1.ip
nameserver2.ip
next_server.ip
ntp.ip
requested_ip
router.ip
server.ip
source.ip
subnet.ip
uuid

"Citrix Channels" and "Citrix" layers unsupported metrics for alerts

metriccomment
client.payload.pdus
client.payload.ratio
dest.payload.pdus
dest.payload.ratio
payload.pdus
payload.ratio
server.payload.pdus
server.payload.ratio
source.payload.pdus
source.payload.ratio

"Databases" layer unsupported metrics for alerts

metriccomment
query_256
system

"DCE RPC" layer unsupported metrics for alerts

metriccomment
dcom.arguments
dcom.arguments_lengths

"DNS" layer unsupported metrics for alerts

metriccomment
resolved_ip

"Email" layer unsupported metrics for alerts

metriccomment
attachments.sha256
recipients

"FTP" layer unsupported metrics for alerts

metriccomment
ftp.file.sha256
ftp.reply_codes
ftp.reply_codes.counters

"HTTP" layer unsupported metrics for alerts

metriccomment
content_description
content_disposition
domain.primary
domain.short
domain.toplevel
error.hitsuse page.errors
http.version.major
http.version.minor
referrer
request.payload.sha256
response.category
response.payload.sha256
response.status.category
url.base
url.path

"SMB" layer unsupported metrics for alerts

metriccomment
smb.change_time
smb.create_options
smb.creation_time
smb.delete_on_close
smb.desired_access
smb.file_attributes
smb.file_info_class
smb.file_info_class.code
smb.info_type
smb.last_access_time
smb.last_write_time
smb.new_file_name
smb.sha256

"TLS" layer unsupported metrics for alerts

metriccomment
domain.primary
domain.short
domain.toplevel
tls.version.major
tls.version.minor

"VNC" layer unsupported metrics for alerts

metriccomment
vnc.client.version.major
vnc.client.version.minor
vnc.dest.version.major
vnc.dest.version.minor
vnc.server.version.major
vnc.server.version.minor
vnc.source.version.major
vnc.source.version.minor

"VoIP" layer unsupported metrics for alerts

metriccomment
callee.hostname
caller.hostname
client.payload.pdus
dest.payload.pdus
mos
payload.pdus
server.payload.pdus
server.signalization.last_code
source.payload.pdus

© 2024 Accedian Networks Inc. All rights reserved. Accedian®, Accedian Networks®,  the Accedian logo™, Skylight™, Skylight Interceptor™ and per-packet intel™, are trademarks or registered trademarks of Accedian Networks Inc. To view a list of Accedian trademarks visit: http://accedian.com/legal/trademarks/. 


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.