It looks like you're new here. If you want to get involved, click one of these buttons!
Hello AV Community Folk!
I want to setup a couple of alerts
1. is for our EuC estate - those specific devices who’s EuC
protection signature is xxx days past the signature release date e.g. signature
not updated for XXX days.
2. again, is for our EuC estate - those specific devices who’s
EuC protection has consecutively failed to download EuC protection signatures
over xxx days e.g. device that has failed to download successfully signature in
I can find the log source for #2, is a download signature
failure event. I created a rule (see
(packet_type == 'log' AND customfield_0 == 'computer' AND
event_category == 'UPDATING' AND event_subcategory ==
'Event::Endpoint::UpdateFailure' AND event_severity == 'low') - Occurance 3,
Length = 1H
However, the rule matches against ANY 3 hosts that has
failed to download the EuC signature which is NOT what I'm trying to
achieve. I am after a rule that is
limited to a single device that has failed 3 times in the last hour