cancel
Showing results for 
Search instead for 
Did you mean: 
layer0
Level 8
Report Inappropriate Content
Message 1 of 4

Alarm for Asset Vulnerable to event

Hello

I want to create an alarm for the event: Asset vulnerable to event, signature-ID: 306-10, I need to provide the following information, the IPS event that generate the rule and the vulnerability that is exploited, however when i try to create the alarm:

arm: [$Alarm Name]

[$REPEAT_START]

[$SOURCE_EVENTS_START]

Rule Message: [$Rule Message]

Src IP: [$Source IP]

Dest IP: [$Destination IP]

Vulnerability: [$%Vulnerability_References]

[$SOURCE_EVENTS_END]

[$REPEAT_END]

When i received the event, the fields are all blank

3 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Alarm for Asset Vulnerable to event

hi Layer0,

try the same without:

[$SOURCE_EVENTS_START]

[$SOURCE_EVENTS_END]


This Start --> End Block is only for correlations Events not for Signatur ID based Alarms.

Highlighted
layer0
Level 8
Report Inappropriate Content
Message 3 of 4

Re: Alarm for Asset Vulnerable to event

Thanks

But didn't work, the alarm only shows information from the asset vulnerable to Event

I am using this template:

**********************

Device: Local ESM

Rule Message: Asset Vulnerable to Event


[$SOURCE_EVENTS_START]

Device: Local ESM

Rule Message: Asset Vulnerable to Event

[$SOURCE_EVENTS_END]

**********************

For example for the following event

asset vulnerable.PNG

The result is

**********************

Device: Local ESM

Rule Message: Asset Vulnerable to Event

Device: Local ESM

Rule Message: Asset Vulnerable to Event

**********************

I need the rule message of the IPS event,

Is there a way?

xded
Level 12
Report Inappropriate Content
Message 4 of 4

Re: Alarm for Asset Vulnerable to event

Try this one

[$REPEAT_START]

[$SOURCE_EVENTS_START]


[$%Signature_Name]

or

[$%Rule_Name]

[$SOURCE_EVENTS_END]

[$REPEAT_END


More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community