• Support
  • Forums
  • Blogs

How Can I Test Email Notification for Alarms Policy\Action in Alienvault Ossim?

artvandelay05artvandelay05

Entry Level
Hello community,

I have setup email notification for alarms greater than a threat level of 0 via the AlienVault Ossim GUI (ver 4.9) in Config\Threat Intelligence\Policies for events generated in server and Actions. I think I have it setup correctly, but I don't know for sure because there haven't been any alarms. :) I have my Action set as:

Type: Send email message
Condition: Define logical condition
Python Boolean Expression: Risk>0

Then in the From and To fields I have from [email protected] to my email address.

I have the above action in an active Policy under the Policies for events generated in server. Also, I have configured the Mail Server Relay settings pointing to our in-house Exchange server.

How can I test Ossim to make sure an email is sent to me when an alarm is generated?

Thank you community.
Tagged:

Share post:

Best Answers

  • I usually take the ssh login or failed login event and set reliability to 10 so it alarms. Makes it easy to fire an alarms as you just login or attempt to.
  • Yep, you will need to restart ossim-server though after the change. You can do it from the directives screen "restart server" or on the cli.

Answers

  • Thank you for the answer PacketInspector. I want to confirm I understand how to change the Reliability of an event. In the AlienVault Ossim gui console, under Analysis click on SIEM. Under Events, click on the Reliability image rectangle block that has a number in it, e.g. 1. A window pops up where I can change the Reliability for the Event to a number between 1 through 10. Change it to 10.

    Now, when that event is triggered/logged it should create an Alarm?
  • Ok. Will do. I'll report the results here later. Thanks PacketInspector.
  • Also, do I have the Email Notfication on Alarms configured correctly?
  • you can probably just use the "only if alarm" criteria instead of the risk value.
  • Bad news (for me haha). I didn't get an email notification for the alarms (and I have a lot of alarms since changing the Reliability of SSH login to 10). What do you think I'm missing? Do I have to setup anything in our Exchange 2007 server? Our Receive connector is configured for the server IPs and our Ossim server is in the specified IP range.
  • Thank you PacketInspector! Your comments helped greatly. I also had to tinker with something else.

    In General Config, I deleted the username and password for the email config, leaving the smtp server filled along with a port name and the ossim email address. I then changed the reliability of a 0 risk event like SSH login to 10 which bumped the risk of the event up to 2 (as you know an alarm is any event with a risk > 0).

    Restarted the Ossim VM.

    Boom.

    Alarm emails poured into my Outlook client. :)
This discussion has been closed.