Showing results for 
Search instead for 
Did you mean: 
Level 7

Automatic Responses for Threat events

Hey all,

I need some help.

I need an automatic response when at a client within 30 minutes, the event id 19115 (Device_PLUG) appears more than 5 times. How should it be done. Which Filter and Aggregation has to be defined?

At the moment I get mails, although the event only once per client appears.

Thanks for your help.

0 Kudos
1 Reply
McAfee Employee

Re: Automatic Responses for Threat events

Sounds like you are looking for aggregation.  'Trigger this response if multiple event occur within: 30 minutes' and 'When the number of events is at least: 5'

Grouping:  Group aggregated events by 'Machine name'

Throttling would control how often the email notification would be sent.  Device plug events can be generated fairly frequently depending on driver behavior so you may want to be careful setting that to something low.

0 Kudos