cancel
Showing results for 
Search instead for 
Did you mean: 
docdriza
Level 10
Report Inappropriate Content
Message 1 of 10

Device Status: Inactive

Jump to solution

I am looking to create an alarm for my operations people for the ESM. For any data source that has been inactive for more than 12 hours, I would like to create an alarm to send all systems that have been inactive. has anyone had any experience with this?

1 Solution

Accepted Solutions
docdriza
Level 10
Report Inappropriate Content
Message 8 of 10

Re: Device Status: Inactive

Jump to solution

There is no alarm for this. I had to set the inactivity timer for 24 hours. I'm not sure if there is one, but a PER will need to be created. Since I log into our SIEM every day having the inactivity timer at 24 hours works for me at this time.

9 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: Device Status: Inactive

Jump to solution

Hello, what you would want to do is to create a new alarm  with a condition of "Device Status Change". You can then select "idle time" as the item to monitor and it would trigger the alert if any data source gets a yellow flag for excessive idle time. You could do the same for any flags in general, yellow warning, red critical, etc. You can then add your email address to the actions tab to generate an email for yourself or your group's distribution list to be notified. Good luck!

Mike

docdriza
Level 10
Report Inappropriate Content
Message 3 of 10

Re: Device Status: Inactive

Jump to solution

Apparently this does not work. I just got an alert for a system where there are logs. I have the idle time set for 24 hours within the alert.

paider
Level 7
Report Inappropriate Content
Message 4 of 10

Re: Device Status: Inactive

Jump to solution

Did you get this working?  If so, how did you set it up?

poezie
Level 9
Report Inappropriate Content
Message 5 of 10

Re: Device Status: Inactive

Jump to solution

Did this ever work ?

docdriza
Level 10
Report Inappropriate Content
Message 6 of 10

Re: Device Status: Inactive

Jump to solution

I just set the inactivity timer for all devices to 24 hours. No alert was created.

Re: Device Status: Inactive

Jump to solution

Was anyone successful in doing this ?

docdriza
Level 10
Report Inappropriate Content
Message 8 of 10

Re: Device Status: Inactive

Jump to solution

There is no alarm for this. I had to set the inactivity timer for 24 hours. I'm not sure if there is one, but a PER will need to be created. Since I log into our SIEM every day having the inactivity timer at 24 hours works for me at this time.

Re: Device Status: Inactive

Jump to solution

What is the "Device Status" alarm used for then ?

If a device becomes inactive as per its Inactivity setting, the status of that device becomes Inactive.

docdriza
Level 10
Report Inappropriate Content
Message 10 of 10

Re: Device Status: Inactive

Jump to solution

I see what you are talking about. It looks like this is new. I'll see if this works well.