Can somepne point me to some good documentation (Best Practices) for setting up notification rules? I have been trying to create rules that will notifiy us if a system is infected and cannot be cleaned or if a virus is removed but continues to infect the system. It's getting frustrating to have our end-users call us to report that there computer is infected. When we investigate the issue we discover that the system is infected but EPO never sent a notification. Here is a view of one of my rules:
|Name:||Virus detected and not removed|
|Notes:||Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received|
|Defined at:||My Organization|
|Categories:||Virus detected and NOT removed|
|Aggregation:||Send a notification if multiple events occur within 20 minutes|
When the number of affected systems is at least 10
When the number of events is at least 25
|Throttling:||At most, send a notification every 1 hours|
Does this look right to you? BTW, I do have our IT staff listed in the EMail section of the notification.
Solved! Go to Solution.
At first glance, those aggregation and throttling criteria are going to slow down your alerts.I would remove those to start with so that you get a notification for each detection. If after that you find that you're getting flooded you can introduce them again.
I made the following changes. Now I'll just sit back and seee what happens.
|Aggregation:||Send a notification if multiple events occur within 10 minutes|
When the number of affected systems is at least 1
When the number of events is at least 5
|Throttling:||At most, send a notification every 10 minutes|
I'd possibly go even further - under aggregation, select "Trigger this response for every event" and make sure the throttling checkbox is not selected...