6 Replies Latest reply on Jun 3, 2015 9:32 AM by rcavey

    mass acknowledge alerts

    boneyard

      using ESM 9.5 is it possible to mass acknowledge alerts?

        • 1. Re: mass acknowledge alerts
          aszotek

          define "alerts" please.

          • 2. Re: mass acknowledge alerts
            xded

            hi,

             

            1. click on Alarms (top right)

            2. shift + klick on your Alerts

            3. click on menu (top left in this view)

            4. Toggle acknowledged

            • 3. Re: mass acknowledge alerts
              rickgrimes

              If by "acknowledge alerts" you mean "mark events as reviewed," you can bulk-select events in your view (say, from a view containing all events from a particular data source) using either Shift or Ctrl to select multiple consecutive or non-consecutive events, respectively.  Then, from the Menu dropdown, select Mark as reviewed > Selected.

               

              mcafee_img.png

              • 4. Re: mass acknowledge alerts
                boneyard

                it is the alarms from the bell icon on the top right. second answer was what i was looking for. only it is still limited by the amount of alarm on one page.

                • 5. Re: mass acknowledge alerts
                  rcavey

                  boneyard,

                   

                    I don't have my notes handy but I think you can do this via command line. I'll reply back tomorrow with a database command that you can try and modify to do what you need.

                  • 6. Re: mass acknowledge alerts
                    rcavey

                    boneyard,

                     

                    To get into the database on the ESM

                    nsql /usr/local/ess/data/connect_esm.sql

                     

                    DISCLAIMER::  Please run any of the below at your own risk.  We used some of this pre-production to clear things out from testing.

                     

                    ## to show columns triggeredalarm table

                    show columns from triggeredalarm

                    "This will dump out the columns and give you things to use in your search for conditions"

                     

                     

                    FROM MY NOTES:::

                     

                    ##### Delete Alarm in bulk

                    delete from triggeredalarm where triggerdate < '09/13/2014 00:00:00'

                     

                    #### acknowledge alarms in bulk, make sure you confirm the userid number

                    update triggeredalarm set status=1, ackdate='10/02/2014 00:00:00', ackuserid=15 where triggerdate < '09/30/2014 00:00:00'

                     

                    CASE MANAGEMENT

                    ## This opentime logic can go eith way <  or >

                    update casemgt set status=2, closetime='11/27/2013 18:10:48.000' where opentime < '08/12/2013 16:10:36.000'

                     

                    ## To check how many are not closed

                    select count  (*) from casemgt where status <> 2