• Support
  • Forums
  • Blogs

How to add alarm into newely created Directive

SunilKumarSunilKumar

New Life Form
+1

Hi,

I have clone one OSSIM directive and modified it as per my requirement. During cloning all the information or attribute of original directive has been copied to clone one except "Alarm" info. Could you guys help me how to add the alarm into cloned directive?

Tagged:

Share post:

Answers

  • SunilKumar,

    I am not really sure what you are referring to, but complete information on modifying existing directives can be found in the correlation section of our documentation.

  • Hi kcoe,

    I am referring to the highlighted section of this screen shot.

    Capture
  • Hello @sunilkumar,

       Despite the provided screenshot, I am afraid there is not enough information to understand what you are trying to accomplish. Can you please explicitly elaborate on what you are doing, and what you are trying to accomplish? 

       Regards,

    - kratos
  • I simply colon the built-in directive "AV-FREE-FEED Malware, malware infection detected on SRC_IP" and change the occurrence value in rule number 2.Original value was 1 and modified value is 10 as you can see in attached screen shot.  

    But original built-in directive showing some Alarm but cloned directive is not showing any alarm information as you can see in the attached screen shot.

    Capture
  • Hello @sunilkumar,

       Per your screenshot, for Rule_2, you are specifying that there must be "10 occurrences in 900 seconds", with Rule_3 specifying "1000 occurrences in 3600 seconds".  Can you verify that you have had that number of events in that amount of time? Specifically, has your system collected 10 (or more) ocurrences in under 900 seconds? 

       What is the result of creating a Custom_Directive with just a two rules, instead of 3? 

       Regards,

    - kratos
  • Hi Kratos,

    About the number of events, I would like to share with you I am creating this directive to reduce the false-positive events. As per original value of Rule 2, only 2 occurrences will trigger the alarm.

    About your next query currently Custom_Directive is not working because no alarm is associated with it. And this is my actual query how I could add the alarm with me custom_directive.

Sign In or Register to comment.