1 Reply Latest reply on Sep 2, 2016 6:58 PM by hhoang

    Automatic Responses for Threat events


      Hey all,

      I need some help.

      I need an automatic response when at a client within 30 minutes, the event id 19115 (Device_PLUG) appears more than 5 times. How should it be done. Which Filter and Aggregation has to be defined?

      At the moment I get mails, although the event only once per client appears.


      Thanks for your help.

        • 1. Re: Automatic Responses for Threat events

          Sounds like you are looking for aggregation.  'Trigger this response if multiple event occur within: 30 minutes' and 'When the number of events is at least: 5'


          Grouping:  Group aggregated events by 'Machine name'


          Throttling would control how often the email notification would be sent.  Device plug events can be generated fairly frequently depending on driver behavior so you may want to be careful setting that to something low.