Create an Anti-Flooding Policy for Alerts

Applies To: WatchGuard Advanced Reporting Tool and Data Control

Anti-flooding policies limit the number of alerts in the event that the alert triggers frequently over a short period of time.

Screen shot of WatchGuard EPDR, Advanced Visualization Tool, Alerts Anti-Flooding Policy tab

When you create an anti-flooding policy, you specify:

  • Maximum number of alerts to receive
  • Time period to which the previous criteria applies
  • A reminder if the alert repeats after the established time period

To create an anti-flooding policy for alerts, from the Advanced Visualization Tool:

  1. From the left pane, select Administration > Alerts Configuration.
  2. Select Alert Policies.
  3. From the left pane, select Anti-Flooding Policy.
  4. Click New.
    The Anti-Flooding Policy dialog box opens.

Screen shot of WatchGuard EPDR, Advanced Visualization Tool, Anti-Flooding Policy dialog box

  1. In the Policy Name text box, type a unique name that identifies the policy.
  2. In the Send a Maximum Of text box, type the maximum number of alerts to send.
    If more alerts are triggered, they will not be sent. However, the Alerts Dashboard always keeps a record of every time the alert triggers. You can also query the complete history of triggered alerts in the siem.logtrust.alert.info data table.
  3. In the Over a Period Of text box, type the period of time to limit alert distribution for.
  4. From the drop-down list, select a time unit (minutes, hours, days).
  5. Click Save.

Edit and Delete Anti-Flooding Policies

You can edit or delete an existing anti-flooding policy on the Antiflooding Policy tab.

To edit an anti-flooding policy, in the Advanced Visualization Tool:

  1. From the left pane, select Administration > Alerts Configuration.
  2. Select Alert Policies.
  3. From the left pane, select Anti-Flooding Policy.
  4. From the list of policies, click in the row for the policy you want to edit.

Screen shot of WatchGuard EPDR, Advanced Visualization Tool, Antiflooding Policy list

  1. Select Edit.

  1. In the Send a Maximum Of text box, change the number of alerts allowed.
  2. In the Over a Period Of text box, edit the time period, as required.
  3. Click Update.

To delete an anti-flooding policy, in the Advanced Visualization Tool:

  1. From the left pane, select Administration > Alerts Configuration.
  2. Select Alert Policies.
  3. From the left pane, select Antiflooding Policy.
  4. From the list of policies, click in the row for the policy you want to delete.

Screen shot of WatchGuard EPDR, Advanced Visualization Tool, Anti-flooding Policy list

  1. Select Delete.
    A Warning dialog box opens.

Screen shot of WatchGuard EPDR, Advanced Visualization Tool, Delete anti-flooding policy dialog box

  1. Click Yes.

See Also

About Real-Time Alerts in the Advanced Visualization Tool

Create Alerts in the Advanced Visualization Tool