Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using variables in alarm generated reports

I have been doing some looking around in the documentation, here in the community forums, and good ol' Google-Fu without really finding anything on this so I pose the question to all of you.

As we know, when creating alarms you can setup a "Send Message" action that will send out an email based off a customizable template. These templates let you use variables(parameters?) so that when the email goes out it contains information on the event(s) that triggered the alarm like Rule Name, Event ID, Source IP, Source User, etc. Like shown here:


One of the other available alarm actions you can do is "Generate Reports" which lets you use an existing custom report layout. What I am looking to accomplish is to run a report whenever an alarm triggers but be able to apply a filter to that report based on the triggering event.

For example if I had an alarm trigger when I had a single host getting blocked at my firewall an excessive number of times, I would love to automatically get a report on events involving just that single host (Source IP).

The closest I have come was to automatically update a Watchlist with the Source IP and then have a report run on a scheduled basis that filters based on the values in the Watchlist. I was hoping there was a more seamless and on-demand way to accomplish this.

Thanks in advance for any advice.


4 Replies
Level 12
Report Inappropriate Content
Message 2 of 5

Re: Using variables in alarm generated reports

I will test it but i think u can set this in the Report section with a Table --> Event Querys --> Events and than set the filter on last 10 minutes. I didn't know any option to use any variable in the report -.- and i didn't find any option to use any variable ....

Re: Using variables in alarm generated reports

Have either of you found a solution to this? I would be interested in this functionality as well. I will plan to do some testing and report back if I find something that works.

Level 10
Report Inappropriate Content
Message 4 of 5

Re: Using variables in alarm generated reports

I have tested this as far as 9.5.1 and it is not possible to pass variables to a report. I have the same issue as you, WHY THE HELL NOT!!!!

However, this feature still has quite a bit a value as you can generate a view or a custom report that would cover said condition with in the time frame you are interested in.

A good example is to do a report of the EPS dashboard when ever a EPS or baseline alarm is triggered. Gives you a quick reference to whats causing the event before you even login to the the interface.


Re: Using variables in alarm generated reports

Thanks for the suggestion. Unfortunately I don't think it will work for my use case. I would like to kick off a report of all events in a SigID from the username that is in the alarm that covers a period the last 3 weeks. There are a lot of events by username, so the unfiltered report isn't particularly helpful in this case. I thought about adding them to a watch list and then running a scheduled report based off of the watchlist membership and grouping it by username. That wouldn't be as frequent as an alarm, but would present the list in a more useable format.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community