Create use case for device not logging for 30 minutes

Hi,

I need to create a use case which would trigger an alert if a device say Fortinet UTM does not log for say 30 minutes due to some issue.

Can someone please assist  me with this?

  • 1) Within the SmartConnector's Destination parameters, enter the value '1800000' under the Enable Device Status Monitoring - to generate a Connector Device Status event for this SmartConnector every 30 minutes.

    2) Create a Rule which has the following conditions (to capture internal events where there hasn't been an event since last count - 30 minutes ago):

         a) Device Product = ArcSight

         b) Device Event Class ID = agent:043

         c) Device Custom Number2 = 0

    3) Aggregate on (at least) identical Agent Host Name (SmartConnector name) and select an Action to fit your alerting requirements.

  • Hi Steve,

    Thanks a lot for your prompt reply!

    I just had a question that why we had kept Device custom number 2 as 0?

    Vishesh Verma

    Security Specialist

    CS&O / SCS / Security LoB / India Operations

  • Hi Vishesh,

    Within the agent:043 event, the deviceCustomerNumber2 field provides the Event Count Since Last Count number.

    Therefore, if the value is 0 and you have your Device Status Monitoring set to 1800000, this means that the SmartConnector has not received an event from the source device in 30 minutes.

    Cheers,

    Steve

  • Verified Answer

    Thanks Steve!

    Solved my prob Relaxed

    Vishesh Verma

    Security Specialist

    CS&O / SCS / Security LoB / India Operations

    tel. ( 65) 64 19 63 96 1 6411

    Mob: 91 8552949790

    visheshv.verma@orange.com<mailto:visheshv.verma@orange.com>

    Tower B 8th Floor DLF Infinity Tower Phase II, DLF Cybercity Gurgaon (122002) – INDIA

    www.orange-business.com<www.orange-business.com/>