cancel
Showing results for 
Search instead for 
Did you mean: 
jp
Level 9
Report Inappropriate Content
Message 1 of 3

Create Rule Based on LACK of data

Jump to solution

The issue we are having is that there seems to be no way of telling when a critical asset stops sending logs to the SIEM. We recently had one of the high level engineers come to our company for a Q+A and he confirmed for us  that this is the case. 

As a work around I am trying to create a Correlation rule with the following logic:

1. Sources are Critical Asset group

2. If there are < 5 events in 2 hrs trigger 

Seems to me that this should be an effective work around - however, I cannot seem to remove the default "threshold" count of 1 from the rule. Because of that the rule will never trigger because it is ALWAYS expecting at least one event. 

Does anyone know how I can solve this or do you have a workaround for this use case??

 

Thanks!

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Create Rule Based on LACK of data

Jump to solution

What we generally do is what we call idle alarms.

So for each data source, you can set inactivity settings

(Receiver Properties -> Events Flows & Logs -> Inactivity Threshold).  T

You can set thresholds here for individual data sources, or let them inherit.  This determines how long without events a data source must go before it is considered Idle.

Now, create an alarm of type 'Device Status Change' looking for Idle Time.  When the data source goes idle, the alarm will fire.  

 

You can also  ue a Specified Event Rate alarm, but I prefer the Idle ones for the scenario you're describing.

 

2 Replies
Highlighted
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Create Rule Based on LACK of data

Jump to solution

What we generally do is what we call idle alarms.

So for each data source, you can set inactivity settings

(Receiver Properties -> Events Flows & Logs -> Inactivity Threshold).  T

You can set thresholds here for individual data sources, or let them inherit.  This determines how long without events a data source must go before it is considered Idle.

Now, create an alarm of type 'Device Status Change' looking for Idle Time.  When the data source goes idle, the alarm will fire.  

 

You can also  ue a Specified Event Rate alarm, but I prefer the Idle ones for the scenario you're describing.

 

jp
Level 9
Report Inappropriate Content
Message 3 of 3

Re: Create Rule Based on LACK of data

Jump to solution

Thank you so much! That one has been driving me crazy for a while!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community