Tools and Administration

In the menu bar settings area, near Sensors, we can find the Tools section where we can find options to configure the platform.

Tools: available options to configure the platform

In this dropdown menu, you can find access to the configurations that define, for example, the conditions that must be met for the user to be notified by an alarm, track user activities on the platform, register new users, or manage the configuration of the cluster, sensors, and servers, among many other actions.

Expand the following tabs to read a description of the options found in the tools menu.

Alarms

Alarms

An alarm is a notification that is triggered when one or more conditions are met.

When accessing this option, the list of registered alarms is displayed.

List of active alarms

Create a new alarm

By clicking on the New Alarm button, we access the form, where the conditions that the alarm must meet to trigger a notification, and the severity level defined for that alarm, are established.

Create a new alarm

1. General Settings

   Field	Description
   Name	Name of the alarm
   Time window	Time interval that must be exceeded by excess or predetermined values given in the upper/lower limit for the alarm to be active
   Product type	Select the type of application/element for which the alarm has been defined. The user will see the options included in their license in this field
   Notify every	Sets the time sequence for notification
   Upper/lower limit	Indicates the number of events (maximum/minimum) that must meet the alarm conditions to trigger the notification
   Unit	Desired aggregation for the alarm. It will vary depending on the aggregations available in the desired product type
   Time zone	Allows choosing the time definition to be used for the alarm
   Severity	The user must define the severity level given to the alarm. Depending on the conditions defined for the alarm, it will imply a very low, low, medium, high, very high, or critical risk. This severity grading is also indicated on a color scale

2. Outliers

   RedBorder uses data analysis techniques to provide notifications of potential dangers, this option allows the user to configure smart alarms that will be triggered if any network anomalies are detected within the filters specified in the Conditions section.

   Activating this option will perform an anomaly analysis once the configured Time window in the alarm's General Settings has passed.

   The granularity indicates the level of temporal detail that the alarm will use to analyze the data.

3. Notifications

   Notification method	Description
   Syslog	Allows exporting notifications to an external syslog server
   Email	Enables the selection of users to send notifications via email when an alarm is triggered
   Slack	Enables the Slack Webhook field that allows the platform to send a message to a Slack channel when an alarm is triggered

4. Conditions

   These are the filters that will trigger the alarm. They can be configured similarly to how they would be configured in the type of application/element for which the alarm has been defined.

Audits

Audits

This option shows a list of user activity (or users) recorded on the Redborder platform, ordered chronologically by default. The user can sort the table in ascending or descending order for each of the columns. The search box at the top can be used to filter the information you want to see. The columns shown in this table are as follows:

• User: user who performed the action
• Resource: element that has been created, modified, or deleted
• Action: action that has been carried out (creation, editing, deletion)
• Message: brief description of what has been audited
• Timestamp: date and time of the activity record

Audits: user activity log

Cluster Settings

Cluster Settings

The Cluster Settings option allows us to check the status and configuration of the cluster, and establish the cluster creation process during the Manager installation process.

You can modify these values by editing through the Unlock button. The information can be changed with the following parameters:

• Cluster status
• Historical Nodes
• Historical Rules

Cluster Configuration: Cluster status and configuration

Correlation Engine Rules

Correlation Engine Rules

Here the user can see all the rules for the correlation engine. It is possible to edit existing rules and also create new ones.

Monitor Categories

Monitor Categories

Here we can add a new category to monitor hardware. The categories use technologies like SNMP, Redfish, IPMI, or a Bulkstats scheme to provide information about the system and its operation.

Monitor Categories

To add a new monitor category, we need to use the button in the upper right corner. Then we will fill in the fields by selecting the correct technology that allows Redborder to receive the data.

Infrastructure Monitor

SNMP Operations

To explain the operation of the SNMP function, we will use an example, monitoring memory usage. When we create a new monitor category with the New monitor category button on the Monitor Categories page, we will see the following popup window.

Initial creation of a monitor category

This is the formula to calculate the memory usage of a device:

100*(memory_total-memory_free-memory_total_buffer-memory_total_cache)/memory_total

The result is a combination of different SNMP values. Now, if we want to create a monitor like this example, we must choose SNMP Operation in the technology dropdown menu.

Below the OID field, there is now a button called Add new variable, which adds another field so we can enter more SNMP OIDs. The OIDs used are:

UCD-SNMP-MIB::memTotalReal.0
UCD-SNMP-MIB::memAvailReal.0
UCD-SNMP-MIB::memBuffer.0
UCD-SNMP-MIB::memCached.0

At the bottom, there is an OID Operation field, where we will enter the operation we want to perform with the previously entered OIDs.

Example Monitor

For each OID, the output will be stored in a variable that we will then use in the OID operation.

At this point, we just have to create the monitor by pressing the Create button.

To add the new monitor to a sensor device, we will create a new sensor on the Sensor tab, selecting Monitor Device.

Bulkstats

Bulkstats (Bulk Statistics) are statistics that are collected in a group or scheme, such as system statistics, port statistics, or Radius statistics.

It is possible to view Bulkstats information in the Redborder manager; for this, it is necessary to configure the client part on the Cisco device to activate the information sending to the manager via FTP.

Once this is done, we will be able to view all the Bulkstats information in the Redborder manager by accessing its corresponding tab and selecting the desired fields within the Monitor module.

Monitor Module: Bulkstats Fields

To define a custom Bulkstats monitor, it is first necessary for the user to have a Bulkstat schema on their network device that can be saved in a plain text file and named (e.g., Bulkstats-Schema.txt).

Normally, bulkstats schemas look like this:

Bulkstats Schemas: Plain Text File

Then, click on the New monitor category button and within the new monitor category form, select Bulkstats from the Technology list. This will show the new option to place your bulk file schema file that defines the user's configuration.

New Monitor Category: Technology Selection

To assign the new monitor category to a device sensor, it is necessary to create a monitor device (if the user has not already created one) from the Sensor Tree view.

Click on the sensor menu and then click on Monitors.

Sensor Tree

Within the monitor menu, press the Add Monitor button and within the window, press the Add button corresponding to the created monitor category.

Device Monitors: Add Monitors Mode Shown

Once the monitor is added to the sensor, it will show the destination where you need to configure the device to send the information.

Device Monitors: Destination Path

The URL corresponds to the destination path. It is necessary to configure the SFTP protocol on the device's network to send information about the bulkstats schemas to the manager.

Licenses

Licenses

Through this option, the user can check which nodes have expired licenses. Likewise, it is possible to upload a new license or request a new one.

At the top edge of the screen, the number of available licenses, the applications that can be used with these licenses, and the number of expired nodes are indicated. There is a list of expired nodes that need to renew their licenses in the center of the screen. There is also a list of available actions.

To upload a file with a new Redborder license, click on Upload License. To request a new license, click on Request license.

Licenses: Check and update expired licenses

Lookup Sources

Lookup Sources

List of web service URLs that perform network data queries. From this screen, it is possible to add more web services as well as edit existing ones.

• Delete a service: click the "Delete" button.

• Edit an existing service: click the "Edit" button:

  

  Lookup Sources: Web Service Queries

• Add a new web service: click the Add Lookup Source button.

  

  Add a new Lookup source

Objects

Objects

This option allows the direct creation and editing of objects related to internal applications, end users, protocols, etc. The user can navigate through different tabs corresponding to the categories of objects that can be created. If you want to locate objects more efficiently, you can use the browser.

Three object categories can be created:

• Network
• MAC
• VLAN

Objects: object list

• Create a new object: click on New Net Object (Network, MAC, VLAN)
• Edit an existing object: click the Edit button.
• Delete an object: click the Delete icon.

Objects: create a new object

In all cases, when creating or editing an object, the system asks for a name, a value, and a description.

In the upper right margin, there is a submenu of options. It allows the user to import or export data related to these objects in .csv format.

Note...

It is possible to create an object directly from the attributes shown in the data tables of the modules. To do this, go to the module and click on the inverted triangle that appears when hovering over an attribute such as IP, MAC, or VLAN.

Object Types (WIP)

Object Types

This option allows the user to create categories for network objects, thereby creating an inventory of the objects found on the network.

Overlay Maps

Overlay Maps

This option allows overlaying an image on a Google map for more customization.

• Edit map: click the Edit button next to the existing map list.
• Add new map: click on New overlay map.

In both cases, you will specify the map name, latitude, and longitude where the image should be located.

Finally, upload the image from your computer in .jpg or .png format.

Overlay Maps: overlay images on a world map

Platform Alerts

Platform Alerts

Alerts are messages displayed to all users when they enter the web platform. This section is where platform alerts can be managed.

There are three levels for alerts: information, warning, and danger. Each level has its own color so that the alerts can be differentiated, and all are placed below the menu bar. In the following image, we have an example of a test alert.

Platform Alerts

It is possible to create alerts for the platform using the New alert button. It is necessary to select the alert level and the alert message.

Platform Alert: New alert

If the user clicks on the alert message, it will not be displayed again until the user logs in again.

It is possible to delete the alert by clicking on the cross in the message. After that, the alert message will no longer be displayed.

Rule Versions

Rule Versions

The user can manage the platform's rule sources. It is possible to add or load new sources and also enable the selected ones. The rules are used for the Snort probe, which is used by the intrusion module.

Rule Versions

It is possible to load rules for a particular IPS using the Upload Source option, where the user can select the file to upload.

It is also possible to add sources to download new rules from the Internet that are updated periodically; if necessary, the user can force the update of the rules to ensure that all rules are up to date.

Support Center

Support Center

Users can use the Support Center to resolve any questions or issues related to the platform. Registration in the Support Center is required.

Support Center

Users

Users

Activation or modification of user data, service management, or creating new records is possible from the User Configuration interface.

To search for a specific user, enter their details in the search bar. You can also browse through the alphabetical list located at the top of the user list.

Users can only view sections of the platform (read-only mode) and cannot modify content (except for their own user profile). The only user with permissions to do this is the Superadministrator.

Users: user permissions management interface

The main screen shows a list of active users on the Redborder platform, email addresses, Top Domain (the highest level the user has access to), the number of logins, IP, and the time of their last access.

By clicking the Edit button, the user can modify information and view a summary of their status and activity within the platform.

Users: user profile editing

Important

Each time any data in a user profile is modified, the current password must be entered to confirm the changes.

To create a new user, click on New user and complete the required information in the user profile. You can check the Administrator box to grant the new user full permissions.

Users: New user

User Area

In the upper right corner of the menu bar, you will find the user area, from which you can view notifications, check your profile, access contextual help, and log out of the system.

User Area

Notifications

To view a summary list of notifications, click on the user area. To access a full list, select the See all option or click on any of the notifications in the summary; this will open a new screen where you can view notification details and delete all notifications using the Clear all option.

User Area: notifications

My Profile

This option allows direct access to the user profile and performs the same actions as the Tools -> Users option.

Show Help

This option provides context-sensitive help to facilitate navigation and usability of the platform.

User Area: help

Log Out

For secure disconnection from the platform, select the Log out option. The system will return to the login screen.

Worker and Job Queue

Worker and Job Queue

In this option, users can check the status of the workers and the jobs running in the background. They can also verify which jobs have been completed.

Note...

Workers are programs that constantly run in the background.

A Job is a program that runs periodically or only once but does not remain running in the background. It runs and then closes.

Worker and Job Queue: status of the worker list and job queue.

Stored Jobs shows the list of completed services. You can check the status of each one via the "Information" icon or remove it from the list using the "Delete" icon. This screen refreshes automatically every 5 seconds.