• Support
  • Forums
  • Blogs

Alert based on event timing

AdrianDRAdrianDR

New Life Form


Hello AV Community Folk!



 



I want to setup a couple of alerts



 



1. is for our EuC estate - those specific devices who’s EuC
protection signature is xxx days past the signature release date e.g. signature
not updated for XXX days. 



 



2. again, is for our EuC estate - those specific devices who’s
EuC protection has consecutively failed to download EuC protection signatures
over xxx days e.g. device that has failed to download successfully signature in
xxx days



 



 



I can find the log source for #2, is a download signature
failure event.  I created a rule (see
below),



 



(packet_type == 'log' AND customfield_0 == 'computer' AND
event_category == 'UPDATING' AND event_subcategory ==
'Event::Endpoint::UpdateFailure' AND event_severity == 'low') - Occurance 3,
Length = 1H



 



 



However, the rule matches against ANY 3 hosts that has
failed to download the EuC signature which is NOT what I'm trying to
achieve.  I am after a rule that is
limited to a single device that has failed 3 times in the last hour



Tagged:

Share post:

Sign In or Register to comment.