1 2 Previous Next 13 Replies Latest reply on Apr 1, 2015 3:20 PM by LT McGary

    Help with an Alarm

    LT McGary

      I created an Alarm from a Watchlist that is not firing. I created a static Watchlist that contains the MAC addresses of PC's we want to monitor. The Alarm is set to fire off every time DHCP releases an IP to any of the MAC addresses in the Watchlist (Ex: User moves from his desk to a conference room, and gets a new IP). I've gone through KB79278 https://kc.mcafee.com/corporate/index?page=content&id=KB79278&actp=LIST , so filtering on a MAC address should be a non-issue. Below is a screenshot of the Alarm I have created. Any suggestions would be greatly appreciated. Thanks!   

       

       

      DHCP Alarm.PNG

        • 1. Re: Help with an Alarm
          markie_mark

          Hey!

           

          Does it trigger in a view?  I.e. if you put both the Signature ID & Destination MAC in the filters?

           

          Thanks

           

          Mark

          • 2. Re: Help with an Alarm
            LT McGary

            I can find the event when I search for it via filters, but the Alarm doesn't ever fire when the event occurs.

            • 3. Re: Help with an Alarm
              markie_mark

              What happens if you select create new alarm from the returned events from the view?

               

              Mark

              • 4. Re: Help with an Alarm
                LT McGary

                I get the same result. I submitted an SR online, and noticed there is an issue with field match custom alarms not triggering, that should be resolved in 9.4.1 20141017 (9.4.1 Maintenance Release 2). I'm currently running 9.4.1 20140930 (Maintenance Release 1). I'm not sure if this is the same issue, as I don't think this is a custom correlation rule (See KB83491). I'll let you know what I learn.

                • 5. Re: Help with an Alarm
                  acommons

                  Try putting both the conditions in the same section so you end up with a single 'box' (or whatever they call them).

                   

                  I've had similar experiences and it looks like the first match consumes the event.

                  • 6. Re: Help with an Alarm
                    LT McGary

                    Thanks Acommons. I can't seem to accomplish that in the actual Alarm. They are in the same "box" in the Correlation rule, however.

                    • 7. Re: Help with an Alarm
                      acommons

                      I'd forgotten about that user interface 'quirk'.

                      If the correlation rule is working you can trigger the alarm off that. If you are just using the alarm to update a watchlist with the PC IP that should be good enough.

                      We have a similar issue with wandering laptops and I've been using the host name as the key in Views to track the IP address from DHCP, ePO and anything else that has both Host and IP address in the event.

                      • 8. Re: Help with an Alarm
                        LT McGary

                        I contacted support. The phone tech couldn't figure this out either. It has been escalated. I'll keep everyone posted.

                        • 9. Re: Help with an Alarm
                          jon286

                          Did you get any further with support? I'm having the same (or at least I think it is) problem with 9.4.2 20150127.

                           

                          I'm trying to leverage GTI and some other third party blocklists pulled in with SMB (powershell posted on this forum works perfectly to update these by the way), against our web filtering and alarm if any traffic is missed and passed to bad IPs.

                           

                          I've tried this as per the OP screenshot and can also find the events using filters, yet the Alarm never fires, either using Event Subtypes or sig IDs to get match the events. This only happens with Field Match, using Internal Event match to fire on a single watchlist works fine.

                          1 2 Previous Next