I need to create a use case which would trigger an alert if a device say Fortinet UTM does not log for say 30 minutes due to some issue.
Can someone please assist me with this?
1) Within the SmartConnector's Destination parameters, enter the value '1800000' under the Enable Device Status Monitoring - to generate a Connector Device Status event for this SmartConnector every 30 minutes.
2) Create a Rule which has the following conditions (to capture internal events where there hasn't been an event since last count - 30 minutes ago):
a) Device Product = ArcSight
b) Device Event Class ID = agent:043
c) Device Custom Number2 = 0
3) Aggregate on (at least) identical Agent Host Name (SmartConnector name) and select an Action to fit your alerting requirements.
Within the agent:043 event, the deviceCustomerNumber2 field provides the Event Count Since Last Count number.
Therefore, if the value is 0 and you have your Device Status Monitoring set to 1800000, this means that the SmartConnector has not received an event from the source device in 30 minutes.
Solved my prob
CS&O / SCS / Security LoB / India Operations
tel. ( 65) 64 19 63 96 1 6411
Mob: 91 8552949790
Tower B 8th Floor DLF Infinity Tower Phase II, DLF Cybercity Gurgaon (122002) – INDIA