New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Vice Admiral
Vice Admiral
270 views

Email notifications from Queries

So, I have a rule that populates an active list every time an IDS reports in. I then have a query that looks at the active list and hits when an active list entry hasn't been modified in an hour. This query then gets placed in a query viewer which then ends up in a dashboard....

My question is, how can I create content that will email a notification when an IDS hasn't reported in over an hour? There isn't a "Last Modified Time" in the rule's conditions. Any help would be very much appreciated!

Labels (4)
0 Likes
5 Replies
Highlighted
Fleet Admiral Fleet Admiral
Fleet Admiral

Setup a 1h TTL on the active list.  When the entry expires because it hasn't been updated in 1 hour, it will expire off the active list.

There will be an audit log created for that active list expiry which you can pick up with a rule and send an email notification.

0 Likes
Highlighted

Hello David,

I am not sure whether this is your scenario or not - but if what you are looking for is monitoring devices (your IDS in this situation) for flow of events, then I would use the built-in functionality of "Device Status Monitoring" and not create extra content for it.

How it works:

1. Go to your Connector -> Configure -> Default -> Processing -> Enable Device Status Monitoring (in millisec) - enter the time period over which you want it to report

2. Restart your connector

3. Search for events being generated at each period of time configured at point 1., by:

Name: Connector Device Status

Device Event Class ID: agent:043

What will happen is that for each device reporting to your connector, in the events above you will be able to see the name of the device and the number of events it sent Since Last Check:

Device Custom Number 2: Event Count SLC (since last check)

Device Custom String 1: Vendor

Device Custom String 2: Product

Attacker Address: device address

Attacker Host Name: device name

From this point you can just configure a rule to check for such events for your IDS device, and if Events SLC is zero, to raise an alert.

All the best,

Stefan

0 Likes
Vice Admiral
Vice Admiral

Stefan,

Thanks for the reply, but this is something that I already utilize. We have active lists being populated with this feature and then queried to see if modifications are made within an hour, 24 hours, 48 hours and 72 hours. From what I understand, an alert could only be setup to notify on first missed interval (we have a 900000ms interval). I need to be alerted once a device doesn't receive the DSM update after an hour.

0 Likes
Highlighted
Vice Admiral
Vice Admiral

Shaun,

Thanks for the reply! Where could I find the audit log? What would the condition look like when setting up that content?

0 Likes
Highlighted
Fleet Admiral Fleet Admiral
Fleet Admiral

Look at deviceEventClassId = activelist:104

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.