Email notifications from Queries

So, I have a rule that populates an active list every time an IDS reports in. I then have a query that looks at the active list and hits when an active list entry hasn't been modified in an hour. This query then gets placed in a query viewer which then ends up in a dashboard....

My question is, how can I create content that will email a notification when an IDS hasn't reported in over an hour? There isn't a "Last Modified Time" in the rule's conditions. Any help would be very much appreciated!

  • Setup a 1h TTL on the active list.  When the entry expires because it hasn't been updated in 1 hour, it will expire off the active list.

    There will be an audit log created for that active list expiry which you can pick up with a rule and send an email notification.

  • Hello David,

    I am not sure whether this is your scenario or not - but if what you are looking for is monitoring devices (your IDS in this situation) for flow of events, then I would use the built-in functionality of "Device Status Monitoring" and not create extra content for it.

    How it works:

    1. Go to your Connector -> Configure -> Default -> Processing -> Enable Device Status Monitoring (in millisec) - enter the time period over which you want it to report

    2. Restart your connector

    3. Search for events being generated at each period of time configured at point 1., by:

    Name: Connector Device Status

    Device Event Class ID: agent:043

    What will happen is that for each device reporting to your connector, in the events above you will be able to see the name of the device and the number of events it sent Since Last Check:

    Device Custom Number 2: Event Count SLC (since last check)

    Device Custom String 1: Vendor

    Device Custom String 2: Product

    Attacker Address: device address

    Attacker Host Name: device name

    From this point you can just configure a rule to check for such events for your IDS device, and if Events SLC is zero, to raise an alert.

    All the best,

    Stefan

  • Stefan,

    Thanks for the reply, but this is something that I already utilize. We have active lists being populated with this feature and then queried to see if modifications are made within an hour, 24 hours, 48 hours and 72 hours. From what I understand, an alert could only be setup to notify on first missed interval (we have a 900000ms interval). I need to be alerted once a device doesn't receive the DSM update after an hour.

  • Shaun,

    Thanks for the reply! Where could I find the audit log? What would the condition look like when setting up that content?

  • Look at deviceEventClassId = activelist:104