About Issues, Events, and Alerts
Halo reports important security-related occurrences or situations in your servers in two forms—as issues and as events. Also, Halo notifies you of these results in two ways—as results reported in the Halo portal, and as alerts. These terms are are distinct but closely interrelated:
- An issue is a scan result—such as a detected software vulnerability, a failed configuration policy rule, or a changed file integrity target. For configuration scanning, file integrity scanning, and log-based intrusion dettection scanning, the rules and targets in your policies list the violations that are to be considered issues. For vulnerability scanning, the current state of the NIST database defines what software packages, if present, will be flagged as issues by Halo.
- An event is a logged issue or other special event (as defined by your special events policy; see Set Up a Special Events Policy). For configuration scanning, file integrity scanning, and log-based intrusion dettection scanning, you specify for each policy rule or target whether its violation should not only generate an issue, but be logged as an event as well. For special events, you similarly specify for each potential event whether or not you want it to be logged as an event. (Special events do not appear as issues.)
Audit events make up another class of events. They are user actions, such as logins to Halo or changes to a policy, that are recorded for auditing purposes. By default all audit events are logged, but those settings are configurable on the Site Admoinistration page of the Halo portal.
- An alert is an email notification sent to you or others to announce that a particular event has occurred. Alerts can give your security personnel essentially immediate notice that an event, possibly critical, has occurred in your servers or network. The details of the event are described in the alert so that immediate action can be taken.
For configuration scanning, file integrity scanning, and special events, you indicate for each specified event whether it should also trigger an alert. (By default audit events are not alertable, but those settings also are configurable on the Site Admoinistration page of the Halo portal.)
You can think of issues as casting the broadest net to capture potential security risks on your servers. The set of events that you define can be just as broad (if you log every issue), or it can be somewhat more targeted toward those issues that you feel are more likely to indicate a significant security problem. And the set of alerts you define should be much smaller, restricted to the subset of events for which time-critical response is imperative.
Where do you go to view and address these occurrences?
- You can view issues on an individual server's Scan Details page (accessed from the portal Dashboard), on a server's Scan History page (accessed from its Scan Details page), or on the general Server Scan History page (accessed from the Servers menu).
- You can view events on an individual server's Security Events page (accessed from the Dashboard) and on the general Security Events History page (accessed from the Servers menu).
- Alerts appear in the email in-boxes of the individuals (who do not have to be Halo users) who have been specified as alert recipients.
Typically, there is a large overlap between issues and events. Most issues that you want to be reported should probably also be logged as event , so you will mark them for logging. However, any rules or targets that you do not mark for logging will appear as scan-result issues but will not appear as events.
The rest of this document describes how to set up, make use of, and interpret your issues, events, and alerts.