cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Mayhaps
Level 9
Report Inappropriate Content
Message 1 of 3
‎09-20-2020 04:45 PM

Inactive Device - One by one?

We have many devices in our SIEM (1k+) across several receivers. I have a list of devices (around 500) that I want to watch to see if they become inactive. Currently it seems that I can either select a whole receiver (which would also capture devices that are not in my list) or pick devices, one-by-one.

There has to be a better way of doing this. How can I better select devices to detect inactive status?

0 Kudos
Reply
2 Replies
SSSSYYYY
Level 10
Report Inappropriate Content
Message 2 of 3
‎09-20-2020 07:06 PM

Re: Inactive Device - One by one?

Upgrade advisor will check data sources and work out when it became inactive, which maybe helpful?

0 Kudos
Reply
pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3
‎09-20-2020 07:52 PM

Re: Inactive Device - One by one?

In ESM propertries>Alarms page, there will be an alarm called 'Device Health' with condition as Device Status Change.

Please make sure Idle time is selected.

Prior to doing this, you also need to ensure in Receiver properties>Events,Flows & logs> Inactivity Settings are configured for each of the datasources under each devices by clicking on the Inactivity Settings button.

You can set the inactivity time for each datasource.

Like, say for example if for 30 minutes, you do not receive any events from a datasource, the datasource will be marked as inactive.

A yellow flag will be displayed in the ESM GUI for the inactive datasource highlighting the inactivity status.

When we start to receive events from the datasource, the inactivity status yellow flag will disappear.

In the 'Escalation' tab of the Alarm, you can enable Generate Reports & specify the conditions for the report.

The datasources need to be selected under the respective device in the 'Devices' tab of the Alarm as well.

Then you can get a report generated at a particular time of the day that shows the Inactivity status.

Regards,

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC