Add Alarm Matching Policy
This function allows you to add an alarm matching policy. An alarm matching policy contains basic information, alarm variable matching rule, and action/alarm variable mapping.
The basic infomation contains the policy name, policy description, and alarms to be identified.
In the alarm variable matching rule, you can add regular expressions to further filter alarms.
You can add action/alarm variable mappings in the action/alarm variable mapping list.
You can configure the following Action variables:
- destIp: Attack destination IP address
- destMAC: Attack destination MAC address
- destPort: Attack destination port
- eventIp: Alarm event IP address, or the IP address of the device that sends an alarm
- srcIp: Attack source IP address
- srcMAC: Attack source MAC address
- srcPort: Attack source port
The default alarm variable is:
- eventIp: Alarm event IP address, or the IP address of the device that sends an alarm
Operation Procedure
- Click the Alarm tab, and then select SCC > Alarm Matching Policy from the navigation tree to enter the alarm matching policy matching page.
- Click Add to enter the Add Alarm Matching Policy page.
- Enter the policy name and description.
- Select the alarms to be identified.
- Add alarm variable matching rules as needed.
- Add action/alarm variable mappings as needed.
- Click OK.
Precautions
- In the action/alarm variable mapping list, if you select Locate Attack Source, you must configure the action variable srcIp or srcMAC.
- In the action/alarm variable mapping list, if you select Locate Attack Destination, you must configure the action variable destIp.
- In the action/alarm variable mapping list, if you select Locate UAM User, you must configure the action variable srcIp or srcMAC.
Related Topics