When a misconfigured security rule or a customer outage generates a high volume of signals, exceeding the ingestion rate allowed by the subscription plan, these signals are redirected to the burst queue. You can manage them using the Manage Burst Queue option on the Signals page in Resolution Intelligence Cloud.
From there, you can choose to delete the signals or prioritize them for processing. After processing, the raw signals are displayed on the Signals page. To streamline management, filters are available, enabling you to sort signals based on specific criteria.
Managing alert burst control signals
Use this procedure to manage alert burst control signals. You can delete or prioritize signals as needed. This option is visible only when a signal burst occurs.
To manage burst queue signals:
1. Navigate to the Signals page from the hamburger menu.
2. Click Manage burst queue. This opens the burst queue, where you can view the total number of signals in the alert burst queue.
3. Review this information:
- External Signal ID: The unique identifier for the external signal.
- Subject: The subject of the external signal.
- Priority: The priority assigned to the external signal.
- Metric/Rule Name: The name of the rule that triggered the signal.
- Ingested Source: The source from which the signal was ingested.
- Actual Source: The low level source on which Chronicle has raised the detection. The actual source for OpsRamp will be null.
- Created Time: The timestamp of when the signal was created.
Searching Signals
Use the search field at the top of the Burst Queue page to search for signals by subject, priority, metric/rule name, or external signal ID.
Filtering Signals
- Date Range: Filters signals based on their creation date. By default, the last 7 days of signals are displayed. You can customize the date range by selecting a specific "From" and "To" date.
- Last 24 Hours: Displays signals generated in the past 24 hours.
- Last 7 Days: Displays signals generated in the past 7 days.
- Last 1 Month: Displays signals generated in the past month.
- Last 3 Months: Displays signals generated in the past 3 months.
- Custom Date Range: Allows you to define a specific start and end date for viewing signals.
- Metric/Rule Name: Filters signals based on the rule name that triggered them.
- Priority: Filters signals based on priority levels, such as P0, P1, P2, or P3.
- Ingested Source: Filters signals based on the source from which they originated, such as OpsRamp or Chronicle.
Managing Columns
Use the Manage Columns feature to control which columns are displayed on the Burst queue page, allowing for a more customized and enhanced view of the external signal data.
Deleting Signals
To delete multiple signals from the burst queue, select the group of signals and use the Delete option.
Prioritizing Signals
You can also prioritize signals in the burst queue and send them to the priority queue for processing. To do this, select the signals and choose the Prioritize option.
Using the Ellipsis Icon
Each signal has an ellipsis icon (⋮) beside it, which provides additional options. You can use this icon to either delete the signal or process it to the priority queue.
Comments
0 comments
Please sign in to leave a comment.