cancel
Showing results for 
Search instead for 
Did you mean: 
mcgarl1
Level 9
Report Inappropriate Content
Message 1 of 14

Help with an Alarm

I created an Alarm from a Watchlist that is not firing. I created a static Watchlist that contains the MAC addresses of PC's we want to monitor. The Alarm is set to fire off every time DHCP releases an IP to any of the MAC addresses in the Watchlist (Ex: User moves from his desk to a conference room, and gets a new IP). I've gone through KB79278 https://kc.mcafee.com/corporate/index?page=content&id=KB79278&actp=LIST , so filtering on a MAC address should be a non-issue. Below is a screenshot of the Alarm I have created. Any suggestions would be greatly appreciated. Thanks!   

DHCP Alarm.PNG

13 Replies

Re: Help with an Alarm

Hey!

Does it trigger in a view?  I.e. if you put both the Signature ID & Destination MAC in the filters?

Thanks

Mark

mcgarl1
Level 9
Report Inappropriate Content
Message 3 of 14

Re: Help with an Alarm

I can find the event when I search for it via filters, but the Alarm doesn't ever fire when the event occurs.

Re: Help with an Alarm

What happens if you select create new alarm from the returned events from the view?

Mark

mcgarl1
Level 9
Report Inappropriate Content
Message 5 of 14

Re: Help with an Alarm

I get the same result. I submitted an SR online, and noticed there is an issue with field match custom alarms not triggering, that should be resolved in 9.4.1 20141017 (9.4.1 Maintenance Release 2). I'm currently running 9.4.1 20140930 (Maintenance Release 1). I'm not sure if this is the same issue, as I don't think this is a custom correlation rule (See KB83491). I'll let you know what I learn.

acommons
Level 10
Report Inappropriate Content
Message 6 of 14

Re: Help with an Alarm

Try putting both the conditions in the same section so you end up with a single 'box' (or whatever they call them).

I've had similar experiences and it looks like the first match consumes the event.

mcgarl1
Level 9
Report Inappropriate Content
Message 7 of 14

Re: Help with an Alarm

Thanks Acommons. I can't seem to accomplish that in the actual Alarm. They are in the same "box" in the Correlation rule, however.

acommons
Level 10
Report Inappropriate Content
Message 8 of 14

Re: Help with an Alarm

I'd forgotten about that user interface 'quirk'.

If the correlation rule is working you can trigger the alarm off that. If you are just using the alarm to update a watchlist with the PC IP that should be good enough.

We have a similar issue with wandering laptops and I've been using the host name as the key in Views to track the IP address from DHCP, ePO and anything else that has both Host and IP address in the event.

mcgarl1
Level 9
Report Inappropriate Content
Message 9 of 14

Re: Help with an Alarm

I contacted support. The phone tech couldn't figure this out either. It has been escalated. I'll keep everyone posted.

jon286
Level 9
Report Inappropriate Content
Message 10 of 14

Re: Help with an Alarm

Did you get any further with support? I'm having the same (or at least I think it is) problem with 9.4.2 20150127.

I'm trying to leverage GTI and some other third party blocklists pulled in with SMB (powershell posted on this forum works perfectly to update these by the way), against our web filtering and alarm if any traffic is missed and passed to bad IPs.

I've tried this as per the OP screenshot and can also find the events using filters, yet the Alarm never fires, either using Event Subtypes or sig IDs to get match the events. This only happens with Field Match, using Internal Event match to fire on a single watchlist works fine.