I created an Alarm from a Watchlist that is not firing. I created a static Watchlist that contains the MAC addresses of PC's we want to monitor. The Alarm is set to fire off every time DHCP releases an IP to any of the MAC addresses in the Watchlist (Ex: User moves from his desk to a conference room, and gets a new IP). I've gone through KB79278 https://kc.mcafee.com/corporate/index?page=content&id=KB79278&actp=LIST , so filtering on a MAC address should be a non-issue. Below is a screenshot of the Alarm I have created. Any suggestions would be greatly appreciated. Thanks!
I get the same result. I submitted an SR online, and noticed there is an issue with field match custom alarms not triggering, that should be resolved in 9.4.1 20141017 (9.4.1 Maintenance Release 2). I'm currently running 9.4.1 20140930 (Maintenance Release 1). I'm not sure if this is the same issue, as I don't think this is a custom correlation rule (See KB83491). I'll let you know what I learn.
Try putting both the conditions in the same section so you end up with a single 'box' (or whatever they call them).
I've had similar experiences and it looks like the first match consumes the event.
I'd forgotten about that user interface 'quirk'.
If the correlation rule is working you can trigger the alarm off that. If you are just using the alarm to update a watchlist with the PC IP that should be good enough.
We have a similar issue with wandering laptops and I've been using the host name as the key in Views to track the IP address from DHCP, ePO and anything else that has both Host and IP address in the event.
Did you get any further with support? I'm having the same (or at least I think it is) problem with 9.4.2 20150127.
I'm trying to leverage GTI and some other third party blocklists pulled in with SMB (powershell posted on this forum works perfectly to update these by the way), against our web filtering and alarm if any traffic is missed and passed to bad IPs.
I've tried this as per the OP screenshot and can also find the events using filters, yet the Alarm never fires, either using Event Subtypes or sig IDs to get match the events. This only happens with Field Match, using Internal Event match to fire on a single watchlist works fine.