Configuring alerts

From the Security page, you can prioritize security events for an endpoint based on their type and configure one or more targeted alert actions to take every time the event occurs on the endpoint.

Table 1 describes the alert categories that are available for AIX, Linux, and IBM® i.

The Correlation events category represents a group of events that occur within an interval that you might want to be aware of and that might require additional investigation. See Swagger PUT /correlatedEvents example to configure correlation events.

Table 1. Alert types by operating system
Category AIX Linux IBM i
Agent connectivity
  • Agent Connected
  • Agent Disconnected
  • My custom connectivity event
  • Agent Connected
  • Agent Disconnected
  • My custom connectivity event
  • Agent Connected
  • Agent Disconnected
Allow listing
  • Trusted execution
  • Fapolicyd
  • No subcategories
Blocklist
  • Matching Hash
  • Scan Completed
  • Scan Error
  • Scan Started
  • Custom blocklist event
  • Matching Hash
  • Scan Completed
  • Scan Error
  • Scan Started
  • Custom blocklist event
  • Matching Hash
  • Scan Completed
  • Scan Error
  • Scan Started
Compliance
  • Apply
  • Check
  • Rule Exemption
  • Rule failure
  • Simulate
  • Undo
  • Apply
  • Check
  • Rule Exemption
  • Rule failure
  • Simulate
  • Undo
  • Apply
  • Check
  • Rule Exemption
  • Rule failure
  • Simulate
  • Undo
Configuration
  • IDP Configuration Change Requested Warning
  • Malware Configuration Change Requested Warning
  • Quantum Safe Configuration Change Requested Warnin
  • RTC Configuration Change Request Warning
  • TE Configuration Change Requested Warning
  • Auditd Configuration Change Requested Warning
  • Fapolicyd Configuration Change Requested Warning
  • Malware Configuration Change Requested Warning
  • PSAD Configuration Change Requested Warning
  • Quantum Safe Configuration Change Requested Warnin
  • IDP Configuration Change Requested Warning
  • Malware Configuration Change Requested Warning
  • Quantum Safe Configuration Change Requested Warning
Correlation Events SYSTEM BREACH SYSTEM BREACH SYSTEM BREACH
Status changed
  • IDP switched OFF
  • IDP switched ON
  • RTC switched OFF
  • RTC switched ON
  • TE switched OFF
  • TE switched ON
  • TF switched OFF
  • TF switched ON
  • TL switched OFF
  • TL switched ON
  • Auditd switched OFF
  • Auditd switched ON
  • Fapolicyd switched OFF
  • Fapolicyd switched ON
  • PSAD switched OFF
  • PSAD switched ON
  • IBM i audit switched OFF
  • IBM i audit switched ON
  • IDP switched OFF
  • IDP switched ON
File integrity monitoring
  • Access Changed
  • Content Changed
  • Directory changed
  • Access Changed
  • Content Changed
  • Directory changed
  • Access Changed
  • Content Changed
  • Directory changed
Host intrusion
  • Password Failures
  • IDPD
  • Syslog file modification
  • Ransomware Detected
  • Password Failures
  • PSAD
  • Syslog file modification
  • Ransomware Detected
  • Password Failures
  • Intrusion Monitor event
  • Ransomware Detected
  • Syslog file modification
IBM i Data Capture NA NA
  • Data Capture Completed
  • Data Capture Failed
  • Data Capture Started
Malware
  • Definitions updated
  • Definition update failed
  • Malware detected
  • File quarantined
  • File quarantined copy failed
  • File quarantined move failed
  • File quarantined POSIX failed
  • Malware Scan
  • Definitions updated
  • Definition update failed
  • Malware detected
  • File quarantined
  • File quarantined copy failed
  • File quarantined move failed
  • File quarantined POSIX failed
  • Malware Scan
  • Definitions updated
  • Definition update failed
  • Malware detected
  • File quarantined
  • File quarantined copy failed
  • File quarantined move failed
  • File quarantined POSIX failed
  • Malware Scan
Quantum Analysis Scan
  • Quantum Analysis Scan Cancelled
  • Quantum Analysis Scan Completed
  • Quantum Analysis Scan Started
  • Quantum Analysis Scan Cancelled
  • Quantum Analysis Scan Completed
  • Quantum Analysis Scan Started
  • Quantum Analysis Scan Cancelled
  • Quantum Analysis Scan Completed
  • Quantum Analysis Scan Started
Scheduled command failed NA NA NA
Patch management
  • VERIFY
  • UPDATE
  • PULL
  • VERIFY
  • UPDATE
  • PULL
  • VERIFY
  • UPDATE
  • PULL
On the Alert Configuration page, events are categorized as shown in Table 2.
Table 2. Configuring Alerts
Event Category Event Name Urgency Responses Parameters
Agent connectivity One of:
  • Agent Connected
  • Agent Disconnected
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Allow listing
  • Fapolicyd
  • Trusted execution
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Blocklist
  • Matching Hash
  • Scan Completed
  • Scan Error
  • Scan Started
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Compliance
  • Apply
  • Check
  • Rule failure
  • Undo
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Configuration
  • IDP Configuration Change Requested Warning
  • RTC Configuration Change Request Warning
  • TE Configuration Change Requested Warning
  • Auditd Configuration Change Requested Warning
  • Fapolicyd Configuration Change Requested Warning
  • PSAD Configuration Change Requested Warning
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Correlation Events SYSTEM BREACH One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Status changed
  • IDP switched OFF
  • IDP switched ON
  • RTC switched OFF
  • RTC switched ON
  • TE switched OFF
  • TE switched ON
  • TF switched OFF
  • TF switched ON
  • TL switched OFF
  • TL switched ON
  • Auditd switched OFF
  • Auditd switched ON
  • Fapolicyd switched OFF
  • Fapolicyd switched ON
  • PSAD switched OFF
  • PSAD switched ON
  • IBM i audit switched OFF
  • IBM i audit switched ON
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
File Integrity Monitoring
  • Access Changed
  • Content Changed
  • Directory changed
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Host Intrusion
  • Password Failures
  • IDPD
  • Syslog file modification
  • PSAD
  • Ransomware Detected
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 Password Failures
  • Attempts
  • Time interval (mins)
IBM i Data Capture
  • Data Capture Completed
  • Data Capture Failed
  • Data Capture Started
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Malware
  • Definitions updated
  • Definition update failed
  • Malware detected
  • File quarantined
  • File quarantined copy failed
  • File quarantined move failed
  • File quarantined POSIX failed
  • Scan configuration changed
  • Scan
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Quantum Analysis Scan
  • Quantum Analysis Scan Cancelled
  • Quantum Analysis Scan Completed
  • Quantum Analysis Scan Started
 One of:
  • High
  • Medium
  • Low
 None, or one more of:
  • email
  • syslog
  • shell script
 NA
Scheduled command failed NA NA None, or one more of:
  • email
  • syslog
  • shell script
  
Patch management 1
  • VERIFY
  • UPDATE
  • PULL
 N
  • High
  • Medium
  • Low
A		 None, or one more of:
  • email
  • syslog
  • shell script
  
Notes:
  • 1 The previous Patch Management event represented several types of events collectively identified by UP_TO_DATE_UPDATE. This collective event is deprecated in favor of more delineated events and may be removed in a future release.
  1. In the PowerSC GUI, click the ellipse to the right of the endpoint for which you want to configure alerts.
  2. Click Alerts.
  3. Click Configure Alerts. The alerts configuration window opens.
  4. Select the alert type that you want to configure from the Alerts Hierarchy:
    • Agent connectivity
    • Allow listing
    • Blocklist
    • Compliance
    • Configuration
    • Status change
    • File integrity monitoring
    • Host intrusion
    • IBM i Data Capture (IBM i only)
    • Malware
    • Quantum Analysis Scan
    • Scheduled command failed
    • Patch management
  5. Enable View sub-categories to configure alerts on a granular level.
  6. For each event category and subcategory, specify the Urgency you want to assign.
    One of:
    • High
    • Medium
    • Low
  7. For each event category and subcategory, specify the response you want to take.
    Important: If you configure an alert response at the category level, the configuration change also applies to the subcategories.
    • None. This is the default if you do not enable Emails, Syslog, or Shell Script.
    • Enable Emails to send an email to one or more recipients every time this alert occurs. If you set customerName in pscuiserverctl command, the email includes the customer name.
    • Enable Syslog to log the event to the syslog every time this alert occurs.
    • Enable Shell Script to create a shell script response. PowerSC GUI provides a placeholder. Edit this placeholder inline as appropriate for your environment. The script receives all of the event variables as separate arguments: var1 value1 var2 value2 and so on.
      Note: This shell script runs on the PowerSC GUI server every time this alert occurs. Disable the Shell Script control to prevent this script from running.
  8. Click Save.