Resolution:
In this example, we will set up an Alert to monitor the SCSP Agent communication with the SCSP Management Server.
The following applications are to be installed prior to configuring the Alert:
· Microsoft Exchange Server with Outlook Express
· SCSP Management console
· SCSP Agent
On the SCSP Management Console:
1. Configure the windows_baseline_detection policy [NOTE: When working with a freshly copied policy the following should be configured by default]
How to configure the windows_baseline_detection policy:
i. Go to the: “Detection View” Tab > “Polices” Tab > “Windows_Baseline_Detection” policy
ii. Right click and copy the “Windows_Baseline_Detection” policy
iii. Move the policy to the a “Test Polices” Group
iv. Rename the policy
v. Right click and go to “edit Policy”
vi. Drill down to “System Login Activity and Access Monitor” and confirm it is enabled
vii. Drill down “System Failed Login Monitor” and confirm it is enabled
viii. Drill down “By Admin to Desktop and confirm it is enabled
ix. Apply this windows_baseline_detection policy to the agent
2. Configure the Agent Health Setting
How to configure the Agent Heath:
i. Go to the: “Detection View” Tab > “Assets” Tab > “Windows”
ii. Find the SCSP Agent on the right pane
iii. Right click and go to “Properties”
iv. Under the “General” Tab click the button called “ Configure Health”
v. In the “Agent Health Settings” windows and configure the “Health Timeouts” to the desired time
vi. Enable all the health events and click “OK”
vii. Click “Apply”
viii. Click “OK”
3. Test the policy by stopping and starting the SCSP Agent IDS services
4. Confirm that the event was generated: Click the “Monitors” and look for “Event Type” called “Communications”
5. Configure the Alert
How to configure the Alter:
i. Go to the: “Detection View” Tab > “Alerts” Tab
ii. Under “Tasks:” Click “New Alert”
In the “New Alter” window:
iii. Click on the “General” Tab
iv. Give the Alert a meaningful name
v. Click on the “Filters” Tab
vi. Select the filters to trigger the alert:
a. In this example we will use:
i. Event Type Equals Communications
ii. Operation Equals AGENT HEALTH CHANGE
iii. Agent Name Equals jess-charley
vii. Click on the “Email” Tab
viii. Click Add
a. In this example we will use:
ii. Subject: Test - Checking the Agent Health
iii. Body: {EVENT_TYPE_D.EN_US}{AGENTTYPE_D.EN_US}{OPERATION_D.EN_US}
ix. Click “Save”
x. Click “Apply”
xi. Click “OK”
6. Configure Alert Settings:
How to configure the Alert Settings:
i. Go to the: “Detection View” Tab > “Alerts” Tab
ii. Under “Alerts:” Click “Settings”
iii. Go to the “Email Settings” and set the SMTP Server to the IP address of the Exchange Server
a. In the example we will use:
i. SMTP Server: xxx.xxx.xxx.xxx
iv. Click “Save”
7. Test the Alert: Stop and Start the SCSP Agent IDS services
8. Confirm that the event was generated: Click the “Monitors” and look for “Event Type” called “Communications”
9. Check the Exchange Server for Email Alert