I want to create an alarm which will fire when the number of events below threshold BUT, this alarm should be enabled From Monday to Friday 10 AM to 5 PM.
How can I configure that alarm?
I want to set an alarm if "Total Collection rate per Second " is less than 500 on Mon to Friday from 10 AM to 5 PM then trigger an alarm. I need guidance in two things
1) Here I am able to set only based on baseline, But not on fixed value How can I do that?
2) I am not able to see tIme attribute, where Can I set it?
Mmm. rth67 is correct, there are some system built-in alarms that you can't rewrite in correlation engine.
Maybe, 1. configure the variable date/time to your environment.
2. create a correlation rule with total event count and put in use the above variable.
Are you talking about the "Application" Variables like "DAY_START" "DAY_END" "HOUR_START" and "HOUR_END"
I have seen those used in the canned ACE Correlation Rules, as we have operations all over, and on multiple shifts, they are not very useful.
Never tried incorporating those in to any of my custom correlation rules.
There are times when we would want to be texted instead of emailed, if it were outside of our normal business hours (for SIEM support team), versus just an email. But that would be something like a Deviation from Baseline, Device Failure, etc. which are alarms that I don't believe can be duplicated in to ACE rules. They simply need to add check boxes and time start / stop options to the Alarm action tab if you ask me, sounds like another PER/Idea.