Clik here to view.
Re: Almost identical rules - one fires, one doesn't?
Very strange - do you have any other rules that use Agent Online events? This would be weird and is a long shot, but one place you can look is under Manage > Appliances, then click the gear on the...
View ArticleRe: Almost identical rules - one fires, one doesn't?
I was waiting just long enough to see the agent offline event and email, then bringing the agent back online. However, just now tried waiting about 10 minutes before bringing the agent back online, and...
View ArticleRe: Almost identical rules - one fires, one doesn't?
When I first made these rules, I had no other rules configured (it was a fairly new installation). I have since added many of the "Best Practices" rules. The checkbox you refer to is checked.
View ArticleRe: Custom Reporting on Groups of Nodes?
Looks good! But why TOP 10 column shows only 4 articles?
View ArticleRe: How does the Block IP active response work for multiple connected firewalls?
It would be nice if it worked the way the "Send Popup Message" active response does. In our current configuration one of our firewalls will automatically block attacker IP addresses but we would like...
View ArticleRe: How does the Block IP active response work for multiple connected firewalls?
Or, just don't configure an Active Response for the Firewall that's auto-blocking, but have it log to the LEM so the rules can trigger the BlockIP on all the other firewalls.
View ArticleRe: Node name in LEM
I've got a Cisco Nexus switch having the same issue and would like an answer to this question as well.
View ArticleRe: Node name resolution in LEM
The previous network admin managed to set up a bunch of Cisco switches in LEM that are using friendly name but, the origin-id setting is not in their logging config nor is it set in the snmp config.How...
View ArticleClik here to view.
Re: Node name in LEM
HI, Try the following things; - Configure the command logg origin-id hostname in configuration mode ex: switch(config)#logg origin-id hostname or- Create a dns entry for the node in your dns server...
View ArticleClik here to view.
LEM CSV files are corrupt 100% of the time
We are running LEM 5.7ticket 810492 has been opened under explore/nDrepth we TRy to generate CSV files for some date ranges.no matter what the date or duration is, the files get produced. They are 100...
View ArticleRe: Repeated Attack - Multiple Detection Sources
I have the same question/issue. The Correlation Time box needs better explanation. Alerts Within is very obvious. The Response Window however is what mystifies me. Re-Inference Time is rather vague and...
View ArticleRe: LEM CSV files are corrupt 100% of the time
The file issues were known and fixed in LEM 6.0.1. Please upgrade the LEM appliance to the newest version (6.1.0) and that should resolve the issue.
View ArticleClik here to view.
Re: Repeated Attack - Multiple Detection Sources
Okay! Correlation box 101: The "X events in Y" is easy: the LEM will wait for the correlation conditions to be "TRUE" X times in Y time frame before firing. Response Window is "If the events are more...
View ArticleRe: Repeated Attack - Multiple Detection Sources
This is perfect! I wish it had been in the documentation. It makes perfect sense of a complex but necessary set of logic. Thanks!!!
View ArticleTrigger rule based on time of day
Is there a way to trigger a rule on a schedule. Basically I have a rule to trigger an email alert then adds the offending machine to a user defined groups, as to not continue to get the alerts. But I...
View ArticleRe: Trigger rule based on time of day
I can make rules time-aware with "Time of Day Sets," and you'll find those under Build --> Groups. These allow you to make rules that only fire in certain time frames, or exclude time-frames....
View ArticleRe: Trigger rule based on time of day
I know about time of day sets, this does not help. Basically I need a scheduled task to run on LEM daily. Our issue is email alert overload. We want an alert is a machine tried to go to a bad address...
View ArticleRe: Trigger rule based on time of day
Yeah, the best ToDs could do is trigger the rule ONLY for the configured window, which goes down to a 30 minute resolution. We have the idea to create a "threshold of 1" type rule with a time over...
View Article