cancel
Showing results for 
Search instead for 
Did you mean: 

mass acknowledge alerts

Jump to solution

using ESM 9.5 is it possible to mass acknowledge alerts?

1 Solution

Accepted Solutions
xded
Level 12
Report Inappropriate Content
Message 3 of 7

Re: mass acknowledge alerts

Jump to solution

hi,

1. click on Alarms (top right)

2. shift + klick on your Alerts

3. click on menu (top left in this view)

4. Toggle acknowledged

6 Replies
aszotek
Level 10
Report Inappropriate Content
Message 2 of 7

Re: mass acknowledge alerts

Jump to solution

define "alerts" please.

xded
Level 12
Report Inappropriate Content
Message 3 of 7

Re: mass acknowledge alerts

Jump to solution

hi,

1. click on Alarms (top right)

2. shift + klick on your Alerts

3. click on menu (top left in this view)

4. Toggle acknowledged

Re: mass acknowledge alerts

Jump to solution

If by "acknowledge alerts" you mean "mark events as reviewed," you can bulk-select events in your view (say, from a view containing all events from a particular data source) using either Shift or Ctrl to select multiple consecutive or non-consecutive events, respectively.  Then, from the Menu dropdown, select Mark as reviewed > Selected.

mcafee_img.png

Re: mass acknowledge alerts

Jump to solution

it is the alarms from the bell icon on the top right. second answer was what i was looking for. only it is still limited by the amount of alarm on one page.

Highlighted
rcavey
Level 9
Report Inappropriate Content
Message 6 of 7

Re: mass acknowledge alerts

Jump to solution

boneyard,

  I don't have my notes handy but I think you can do this via command line. I'll reply back tomorrow with a database command that you can try and modify to do what you need.

rcavey
Level 9
Report Inappropriate Content
Message 7 of 7

Re: mass acknowledge alerts

Jump to solution

boneyard,

To get into the database on the ESM

nsql /usr/local/ess/data/connect_esm.sql

DISCLAIMER::  Please run any of the below at your own risk.  We used some of this pre-production to clear things out from testing.

## to show columns triggeredalarm table

show columns from triggeredalarm

"This will dump out the columns and give you things to use in your search for conditions"

FROM MY NOTES:::

##### Delete Alarm in bulk

delete from triggeredalarm where triggerdate < '09/13/2014 00:00:00'

#### acknowledge alarms in bulk, make sure you confirm the userid number

update triggeredalarm set status=1, ackdate='10/02/2014 00:00:00', ackuserid=15 where triggerdate < '09/30/2014 00:00:00'

CASE MANAGEMENT

## This opentime logic can go eith way <  or >

update casemgt set status=2, closetime='11/27/2013 18:10:48.000' where opentime < '08/12/2013 16:10:36.000'

## To check how many are not closed

select count  (*) from casemgt where status <> 2

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community