I am new to mcafee SIEM and I know there is inactivity threshold and alert that can be generated. But I want to create an inactivity dashboard to better troubleshoot the issues on a daily basis. Could please help me create such a dashboard.
Basically I want a dashboard which can show me all the hosts or devices not reporting to ESM from the last 24 hours.
What you could do is each time you see a new device add it to a watch list, and then do a NOT in device list in a view? I'm not sure how feasible this would be especially on a large network. for a small network may be straightforward.
You should be able to just run a report that shows the Data Source event counts for the past X hours, then just pluck out the ones with zero events.
But you can't because some programmer thought it would be best to drop any Data Source from a Count Report that happens to have a count = 0.
We have pleaded with them for years now to change this behavior but they don't seem to get how critically important it is to identify data sources that have gone dark and how there is no practical means in the product to do this especially in a large scale deployment.
We have resorted to using scripting the blends together Receiver Exports, ESM Last Event Received Reports, and ELM Stat Files that spits out a tidy spreadsheet that easily identifies Data Sources that have gone dark.
I have both written API scripts to do this and requested a feature, which was actually implemented. Under System Properties | View Reports, you're able to see all of the data sources and the last time they reported. You can export this as well.
If you're interested in an API script, I did something for 9.x (not yet updated) at: GitHub - andywalden/esm-check-ds: Check ESM data sources for inactivity