Step 10
Step 11
Creating a Threshold
Sentry
Step 1
Step 2
Table 4-11 Sentry Response Parameters (continued)
Parameter Sub-Parameter Action
Trigger
Trigger Script
Syslog
Click Next.
Review the sentry details. Click Finish.
A Threshold sentry monitors your deployment for activity that exceeds the
configured threshold of the sentry.
To create a threshold sentry:
Click the Network Surveillance tab.
The Network Surveillance interface appears.
Navigate to the appropriate view you wish the sentry to apply.
For information on navigating views, see
Activity.
Note: You cannot create a sentry in the ByNets view. You must navigate to a
non-related view to create a sentry.
STRM Users Guide
Using the drop-down list box, specify the action you
wish the sentry engine to perform. The options include:
Trigger Script - Specify if you wish this sentry to
•
use the following:
SNMP traps - Sentry engine sends an SNMP Trap
notification.
Block IPs - Sentry engine blocks specific IP
addresses.
Parameters - Specify the parameters required to
•
trigger either the SNMP trap or to block IP
addresses. Enter parameters in the following
format:
If you are using SNMP version 1:
1 <community> <IP address>
1.3.6.1.4.1. 20212
If you are using SNMP version 2:
2 <community> <IP address>
1.3.6.1.4.1.20212.200.3
Note: These default scripts need to be customized for
proper use in your environment. To edit the script, use
SSH to login to your STRM Console and edit the
scripts in the /opt/qradar/triggerbin directory. For
assistance, contact your local administrator.
Select the check box if you wish to save the sentry
event log file to the syslog server.
Chapter 3 Managing Your Network
Creating a Sentry
61