cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Creating Alarm

I want to create an alarm which will fire when the number of events below threshold BUT, this alarm should be enabled From Monday to Friday 10 AM to 5 PM.

How can I configure that alarm?

6 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Creating Alarm

there is a time attribute condition which you can set as part of the rule logic that define day of the week and time of the day.

Highlighted

Re: Creating Alarm

I want to set an alarm if  "Total Collection rate per Second "  is less than 500 on Mon to Friday from 10 AM to 5 PM then trigger an alarm. I need guidance in two things

1) Here I am able to set only based on baseline, But not on fixed value How can I do that?

2) I am not able to see tIme attribute, where Can I set it?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Creating Alarm

Do you have an ACE or correlation engine?

Highlighted

Re: Creating Alarm

We have correlation engine

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Creating Alarm

Mmm. rth67 is correct, there are some system built-in alarms that you can't rewrite in correlation engine.

Maybe, 1. configure the variable date/time to your environment.

2. create a correlation rule with total event count and put in use the above variable.

Highlighted
Level 12
Report Inappropriate Content
Message 7 of 7

Re: Creating Alarm

Are you talking about the "Application" Variables like "DAY_START" "DAY_END" "HOUR_START" and "HOUR_END"

I have seen those used in the canned ACE Correlation Rules, as we have operations all over, and on multiple shifts, they are not very useful.

Never tried incorporating those in to any of my custom correlation rules.

There are times when we would want to be texted instead of emailed, if it were outside of our normal business hours (for SIEM support team), versus just an email. But that would be something like a Deviation from Baseline, Device Failure, etc. which are alarms that I don't believe can be duplicated in to ACE rules. They simply need to add check boxes and time start / stop options to the Alarm action tab if you ask me, sounds like another PER/Idea.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community