Overview:  The Third Wall plugin employs monitors to ensure all assigned policies are adhered to and will use the ticketing system to communicate any changes.  This paper describes the plugin's use of the ticketing system.


Standard Monitors:  For all monitors (excepting one, discussed below), Third Wall uses only standard, Automate group-assigned monitors.  This means any customization that can be applied to a standard monitor can be done to a Third Wall monitor.


In your groups, you will find a single ThirdWallV2 group.  Nested under that group are the Policy Category groups.  These groups are strictly for organizational purposes and no modifications or monitors are applied to them.  Under the Category groups you'll find the Monitor groups.



In this example, 'OS Security' is the Category Group.  All groups under 'OS Security' are Monitor groups.


To modify the ticketing for a single monitor, double-click its Monitor group.  In this example, we'll modify the ticketing for the 'Disable UPnP' monitor.


Double-clicking the monitor opens the Group Editor.  From there, press the 'Computers' tab, then 'Remote Monitors'.  Finally, click to select the 'TW - Disable UPnP' monitor on the bottom of the screen.  Your Group Editor screen should now look like this:



Note the top right of the screen an 'Alert Template' selector is offered.  To change the Alert Template associated with the Disable UPnP monitor, use the 'Alert Template' selector to make the change, then press the 'Update' button.  Changes will be propagated within the next five minutes.


As this is a standard Automate monitor, any aspect of this monitor may be modified to suit the needs.  Variables such as Alert Style, Ticket Category, Report Category and etc.. may all be altered here.  Pressing the 'Details' button will reveal more modifiable settings.


Bulk Changes:  Third Wall offers a method by which the assigned Alert Template and Ticket Categories for all Third Wall monitors may be changed.  This screen can be found on the Dashboard, under Config -> Integration -> Third Wall.  From there, press the Alert Communications link (on the left).  



Use the supplied pull-down to modify the Alert Template and/or the Alert Category that is assigned to all Third Wall monitors.  Changes are applied immediately.


Monitor Behavior:  Third Wall tickets, for the bulk of the policies, are straightforward.  In the above case of UPnP, you will receive a ticket if a remote computer is not under that policy and that ticket will be automatically closed when the remote computer is again under policy but there are a couple monitors for which this model cannot be applied.  The Monitor Event Log Clearing and Alert on Excessive Logon Failures are two of those monitors.


These two monitors have no success condition.  Therefore they will remain open until they are manually closed by a technician.  We have found Automate patches to occasionally modify this behavior.  If this occurs, you'll find both monitors are auto-closed five minutes after they are issued.  To revert these monitors back to the desired behavior, use the 'Utilities' section on the Preferences Screen (shown above) to alter.



Here, the two checkboxes for 'Maintain xxxx Tickets' are checked.  This causes Third Wall to maintain the desired ticket behavior for Alert on Excessive Logon Failures and Monitor Event Log Clearing.  This is a recommended setting.


The Ransomware Monitor:  As described above, there is one exception to these rules.  That exception is the Ransomware Monitor.  This policy comes with two monitors.  One to alert you of an issue in creating or maintaining its bait files.  The other alerts you when those bait files have been manipulated.  Going forward, these two conditions will be referred as setup monitors and trap monitors.


The setup monitor follows the standard ticketing rules described above.  The trap monitors do not.  The assigned Alert Action for the Ransomware Monitor's trap is set on the policy itself, shown here:


In this example, any remote computer which modifies its bait files will call the 'Default - Create Automate Ticket' Alert Template.