Configuring suspicious activity alerts

Administrator Help | Forcepoint Web Security and Forcepoint URL Filtering | v8.5.x

Related topics:

Alerting

Flood control

Configuring general alert options

Your web protection software can notify you when suspicious activity of a specified severity level reaches a defined threshold. You can define alerts for permitted requests and blocked requests of each severity level.

Because Content Gateway is required to detect critical and high severity alerts, it is not possible to configure alerting for those severity levels in Web Filter & Security deployments.

Forcepoint Web Security customers who have enabled advanced file analysis can enable email or SNMP alerts to be sent when a file submitted for analysis is determined to be malicious.

Use the Settings > Alerts > Suspicious Activity page to set or change alerting configuration for alerts associated with suspicious events in your network. Detailed information about these events is displayed on the Threats dashboard.

The page displays 2 tables: Permitted Suspicious Activity Alerts and Blocked Suspicious Activity Alerts. If the Advanced File Analysis has been enabled, a third table is added.

Each table for suspicious activity alerts shows:

The Severity level to be configured. The 4 severity levels are critical, high, medium, and low. Severity level is determined by the threat category associated with the alert. See How severity is assigned to suspicious activity for more information.

The alerting Threshold. By default, the threshold for critical and high severity alerts, both permitted and blocked, is 1.

One or more notification methods. Suspicious activity alerts can be sent via Email, SNMP, or both.

For advanced file analysis, you can enable alerting via email, SNMP, or both when an analyzed file is found to be malicious.

To update suspicious activity alert settings, you can:

Enter a number in the Threshold field to specify the number of suspicious events that cause an alert to be generated.

Select each notification method (Email, SNMP) to use to deliver suspicious activity alerts.

Only alert methods that have been enabled on the Enable Alerts page (see Configuring general alert options) are available for selection.

Leave the alert methods unchecked to disable alerts for a specific severity.

If the Advanced File Analysis option has been enabled, mark the check box or boxes in the Advanced File Analysis Alerts section to cause an email or SNMP alert to be sent when a file sent for analysis is found to be malicious.

Each check box is enabled only if the corresponding alert type (email or SNMP) is enabled on the Enable Alerts page.

Note that threats related to advanced file analysis are not included on the Threats dashboard.

Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.