I have been doing some looking around in the documentation, here in the community forums, and good ol' Google-Fu without really finding anything on this so I pose the question to all of you.
As we know, when creating alarms you can setup a "Send Message" action that will send out an email based off a customizable template. These templates let you use variables(parameters?) so that when the email goes out it contains information on the event(s) that triggered the alarm like Rule Name, Event ID, Source IP, Source User, etc. Like shown here:
One of the other available alarm actions you can do is "Generate Reports" which lets you use an existing custom report layout. What I am looking to accomplish is to run a report whenever an alarm triggers but be able to apply a filter to that report based on the triggering event.
For example if I had an alarm trigger when I had a single host getting blocked at my firewall an excessive number of times, I would love to automatically get a report on events involving just that single host (Source IP).
The closest I have come was to automatically update a Watchlist with the Source IP and then have a report run on a scheduled basis that filters based on the values in the Watchlist. I was hoping there was a more seamless and on-demand way to accomplish this.
Thanks in advance for any advice.
I will test it but i think u can set this in the Report section with a Table --> Event Querys --> Events and than set the filter on last 10 minutes. I didn't know any option to use any variable in the report -.- and i didn't find any option to use any variable ....
Have either of you found a solution to this? I would be interested in this functionality as well. I will plan to do some testing and report back if I find something that works.
I have tested this as far as 9.5.1 and it is not possible to pass variables to a report. I have the same issue as you, WHY THE HELL NOT!!!!
However, this feature still has quite a bit a value as you can generate a view or a custom report that would cover said condition with in the time frame you are interested in.
A good example is to do a report of the EPS dashboard when ever a EPS or baseline alarm is triggered. Gives you a quick reference to whats causing the event before you even login to the the interface.
Thanks for the suggestion. Unfortunately I don't think it will work for my use case. I would like to kick off a report of all events in a SigID from the username that is in the alarm that covers a period the last 3 weeks. There are a lot of events by username, so the unfiltered report isn't particularly helpful in this case. I thought about adding them to a watch list and then running a scheduled report based off of the watchlist membership and grouping it by username. That wouldn't be as frequent as an alarm, but would present the list in a more useable format.