Throttling And Aggregation - McAfee EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE Manual

®
ePolicy Orchestrator 3.6 Walkthrough Guide

Throttling and aggregation

When events occur on systems in your environment, they are delivered to the ePolicy
Orchestrator server, and the notification rules (associated with the group or site that
contains the affected systems and each parent above it) are applied to the events. If the
conditions of any such rule are met, a notification message is sent, or an external
command is run, per the rule's configurations.
This design allows you to configure independent rules at the different levels of the
Directory. These rules can have different:
Thresholds used to send a notification message. For example, a site administrator
wants to be notified if viruses are detected on 100 systems within 10 minutes on
the site, but a global administrator does not want to be notified unless viruses are
detected on 1000 systems within the same amount of time within the entire
environment.
Recipients for the notification message. For example, a site administrator wants to
receive a notification message only if a specified number of virus detection events
occur within the site. Or, a global administrator wants each site administrator to
receive a notification message if a specified number of virus detection events occur
within the entire Directory.
You can configure when notification messages are sent by setting thresholds based on
aggregation and throttling.
Aggregation
Use aggregation to determine the thresholds of events at which the rule sends a
notification message. For example, you can configure the same rule to send a
notification message when the ePolicy Orchestrator server receives 100 virus detection
events from different systems within an hour or whenever it has received 1000 virus
detection events altogether from any system.
Throttling
Once you have configured the rule to notify you of a possible outbreak situation, you
may want to use throttling to ensure you do not get too many notification messages. If
you are administering a large network, then you may be receiving tens of thousands of
events during an hour, creating thousands of notification messages based on such a
rule. ePolicy Orchestrator Notifications allows you to throttle the number of notification
messages you receive based on a single rule. For example, you can specify in this same
rule that you don't want to receive more than one notification message in an hour.
When using throttling, the notification message received contains a summary of events
that occurred within the throttling period that would have triggered the rule otherwise.
62
ePolicy Orchestrator Notifications
About Notifications
6