Our company was in the process of configurating correlation rules. Due to this, a lot of alarms went off (false alarms) that now we want to place as "acknowledged" (top right of the UI showing +99)
The screen of triggered alarms shows only 100 alarms and clicking on "toggle acknowledged" for each block takes a lot of time (they are more than a one hundred thousand).
Is there a way to mark and acknowledge massively?
Is it possible to configure the screen to show more records at once ?
Version = ESM 11.1.3
Thanks in advance.
3 Questions - 3 Answers:
1- it's not possible to increase the number more than 100.
2- in the Configuration Alarms GUI go to the "Action" tab and check the "Auto Acknowledged alarm.
3- in the Triggered Alarm GUI press on the Alarm Icon on the header of the table (first column from the left.) that will organise on the table all of the unacknowledged alarms. then pick the first when, scroll to the bottom of the page, press and hold "SHIFT" then click on the last alarm on page, you will see that all the alarms on page are chosen, go up to the upper left, click on the menu / settings > acknowledge.
you will need to skip to the next page and do the same, till you are finished.
If you have a large number of triggered alarms (would take hours and hours to close them by hand).
There is a command you can run to acknowledge all of the open triggered alarms. If you call support they can walk you through doing it.
Adding my 4 cents to this discussion.
There is a way much more simple and straight forward to acknowledge all alarms based on filters. You can use `msiem` the ESM API cli wrapper: https://github.com/mfesiem/msiem
I.E you want to acknowledge all alarms matching "IPS Alarm" triggered in the last 3 days by events from 10.0.0.1 to 10.0.0.2 you would run :
msiem alarms --page_size 1000 --pages 10 --status unacknowledged -t LAST_3_DAYS --action acknowledge --filters "alarmName=IPS Alarm" --event_filters srcIp=10.0.0.1 destIp=10.0.0.2 # Load up to 10 000 unacknowledged alarms # Then apply filter(s) as regex # Then print alarms and confirm acknowledge action with user
#nsql /usr/local/ess/data/connect_esm.sql >UPDATE TriggeredAlarm SET TriggeredAlarm.AckDate = '10/04/2020 14:38:55.000', TriggeredAlarm.AckUserID = 1, TriggeredAlarm.Status = 1, TriggeredAlarm.AckUserName = 'NGCP' WHERE TriggeredAlarm.Status = 2
Just make sure you update the current time. To whatever it is currently (UTC).