In McAfee SIEM V11.3 I have Device Health alert put in place with Maximum Condition Trigger Frequency of 10 mins. For ERC Inactivity threshold is set to 1 hour (should not have any connection to Healthmon status change). But around every 4 hours, almost like a morning alarm, ERC triggers Device Health alert. ERC status changes to Critical for couple of minutes and goes back to normal afterwards.
I want to try and look into what maybe causing the issue. I took log files from ERC but got lost in there. Does anybody have any suggestions where to look for possible clues ?
Thanks for suggestion. For device log, I have gathered data from ERC, but kinda lost track in structure of the folder and files inside as it has log data for different aspects. Maybe any particular log file that might have indications on the issue ?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.