2 Replies Latest reply on Jan 30, 2015 7:37 AM by docdriza

    Specified Event Rate

    docdriza

      I have an alarm set for when events exceed the specified event rate. I would like to have some action items based of this alarm, but I am not sure where to go to see where the event increase is coming from. Does any one have any suggestions on where to go to see what data source or receiver has an increase of events?

        • 1. Re: Specified Event Rate
          ryan.fitzpatrick

          Create a new view, drag the little bar chart icon down, in the query, do an event query, event collection by device per (second|minute) depending on which you want to see, and set your view for last hour or so depending on when the alarm occurred.

           

          This should give you a decent idea of where the spike occurred by the top talkers over the last hours, but it is not 100% definitive, because a device that went from 1-2 logs a day may have just gotten 20 logs causing a 1,000% threshold increase of events, however it is a start.

           

          Hope it helps!

          • 2. Re: Specified Event Rate
            docdriza

            Thanks for the reply. To further expand on what you are saying, I followed the steps to implement the dashboard explained in the article below.

             

            https://community.mcafee.com/docs/DOC-6407

             

            Once I implemented this, I was able to identify which receiver has the increase in EPS. I targeted that receiver, and now I can see when the EPS rate increased and identify what events are occuring. I also created an EPS rate Increase alarm for each receiver to help speed the investigation process.

             

            Thanks.