Email notifications from Queries
So, I have a rule that populates an active list every time an IDS reports in. I then have a query that looks at the active list and hits when an active list entry hasn't been modified in an hour. This query then gets placed in a query viewer which then ends up in a dashboard....
My question is, how can I create content that will email a notification when an IDS hasn't reported in over an hour? There isn't a "Last Modified Time" in the rule's conditions. Any help would be very much appreciated!
Setup a 1h TTL on the active list. When the entry expires because it hasn't been updated in 1 hour, it will expire off the active list.
There will be an audit log created for that active list expiry which you can pick up with a rule and send an email notification.
I am not sure whether this is your scenario or not - but if what you are looking for is monitoring devices (your IDS in this situation) for flow of events, then I would use the built-in functionality of "Device Status Monitoring" and not create extra content for it.
How it works:
1. Go to your Connector -> Configure -> Default -> Processing -> Enable Device Status Monitoring (in millisec) - enter the time period over which you want it to report
2. Restart your connector
3. Search for events being generated at each period of time configured at point 1., by:
Name: Connector Device Status
Device Event Class ID: agent:043
What will happen is that for each device reporting to your connector, in the events above you will be able to see the name of the device and the number of events it sent Since Last Check:
Device Custom Number 2: Event Count SLC (since last check)
Device Custom String 1: Vendor
Device Custom String 2: Product
Attacker Address: device address
Attacker Host Name: device name
From this point you can just configure a rule to check for such events for your IDS device, and if Events SLC is zero, to raise an alert.
All the best,
Thanks for the reply, but this is something that I already utilize. We have active lists being populated with this feature and then queried to see if modifications are made within an hour, 24 hours, 48 hours and 72 hours. From what I understand, an alert could only be setup to notify on first missed interval (we have a 900000ms interval). I need to be alerted once a device doesn't receive the DSM update after an hour.