Notifications And How It Works; Throttling And Aggregation; Notification Rules And System Tree Scenarios - McAfee EPOLICY ORCHESTRATOR 4.0.2 Product Manual

Sending Notifications

Notifications and how it works

Notifications and how it works
Before you plan the implementation of Notifications, you should understand how this feature
works with ePolicy Orchestrator and the System Tree.
NOTE: This feature does not follow the inheritance model of policy enforcement.
Events that occur on systems in your environment are delivered to the server, and the notification
rules (associated with the group that contains the affected systems and each parent above it)
are triggered by the events. If the conditions of any such rule are met, a notification message
is sent, or an external command is run, per the rule's configurations.
This design allows you to configure independent rules at the different levels of the System Tree.
These rules can have different:
• Thresholds for sending a notification message. For example, an administrator of a particular
group wants to be notified if viruses are detected on 100 systems within 10 minutes on the
group, but a global administrator does not want to be notified unless viruses are detected
on 1000 systems within the entire environment in the same amount of time.
• Recipients for the notification message. For example, an administrator for a particular group
wants to receive a notification message only if a specified number of virus detection events
occur within the group. Or, a global administrator wants each group administrator to receive
a notification message if a specified number of virus detection events occur within the entire
System Tree.

Throttling and aggregation

You can configure when notification messages are sent by setting thresholds based on
aggregation and throttling .
Aggregation
Use aggregation to determine the thresholds of events at which the rule sends a notification
message. For example, configure the same rule to send a notification message when the server
receives 100 virus detection events from different systems within an hour and whenever it has
received 1000 virus detection events from any system.
Throttling
Once you have configured the rule to notify you of a possible outbreak, use throttling to ensure
you do not receive too many notification messages. If you are administering a large network,
then you may be receiving tens of thousands of events during an hour, creating thousands of
notification messages based on such a rule. Notifications allows you to throttle the number of
notification messages you receive based on a single rule. For example, you can specify in this
same rule that you don't want to receive more than one notification message in an hour.

Notification rules and System Tree scenarios

To show how this feature functions with the System Tree, two scenarios are used.
For both scenarios, we can assume that each group of the System Tree has a similar rule
configured. Each rule is configured to send a notification message when 100 virus detection
events have been received from any product within 60 minutes. For reference purposes, each
McAfee ePolicy Orchestrator 4.0.2 Product Guide 153