6 Replies Latest reply: Apr 21, 2017 2:17 PM by gverrault RSS

Assistance Creating an Alert

gverrault Novice

I've been tasked with making an alert in SecurityCenter that would send an email to our incident tracking system and automatically make a ticket if certain criteria are met.  So far as generating the email and creating the incident that I have figured out.  The part I'm having trouble with is the criteria for the alert.  The alert is to generate when

 

Vulnerability is High or Critical

Has been discovered over 180 days ago

Exists on a workstation (this I have an asset group setup for)

Exists on 20 or fewer systems

 

All of the criteria seem pretty straight forward.  This issue I'm running into is that I need to have an alert issue for each plugin that meets this criteria so that an email would go to our ticketing system.  For instance if we had 10 vulnerabilities that met this criteria we would need to have a separate email for each vulnerability, which would in turn send out an email and create a separate incident.  From what I'm seeing in SecurityCenter there doesn't really seem to be a way to do this, aside from manually making an alert for each plugin.  Any suggestions?  Hopefully my description makes sense

 

Also when making an alert what is the difference between setting the trigger as "Unique vulnerability Count" as opposed to "IP Count"

  • Re: Assistance Creating an Alert
    nsanders Expert

    What do you have "Behavior" set to? "Only on first trigger" or "all triggers"? Does the latter cause it to fire an alert for every instance of a vuln in the way you want?

     

    As for the Trigger differences

    • IP Count – Trigger on vulnerabilities or events whose IP count matches the given parameters.
    • Unique Vulnerability/Event Count – Trigger an alert when the vulnerability/event count matches the given parameters. This option is set to “Unique Vulnerability Count” for vulnerability alerts and “Event Count” for event alerts.

     

     

    You would want to use the Unique Vuln/Event Count in your case, I believe.

    • Re: Assistance Creating an Alert
      gverrault Novice

      So currently I have the alert set as follows,

       

      Behavior = Perform action on every trigger

       

      Condition

      Type = Vulnerability

      Trigger = Unique Vulnerability Count < 20

      Filter

      Asset = Workstations

      Repository = Set to our workstation repositories

      Severity = Critical, High

      Vulnerability Discovered = More than 180 Days ago

       

      the alert is set to send an email to my address.

       

      Currently the alert is only triggering if I add a plugin setting to the filter and put in the plugin IDs that I want it to trigger on.  If I don't specify a plugin ID or multiple plugin IDs the alert does not trigger.  If I specify multiple plugin IDs I get one alert notifying me of all the vulnerabilities.  I would rather not have a specify a plugin ID as that would pretty much remove the automation from the process as I would have to be constantly adjusting the Plugin IDs on the alert in order for it to launch an individual alert for each plugin that meets the criteria.

      • Re: Assistance Creating an Alert
        davidc Apprentice

        I would stick with your original settings, using IP count < 20, but instead of sending off an email, why not have the alert kick off a CSV report (Vulnerability List) that is then emailed to your ticketing system.

      • Re: Assistance Creating an Alert
        sdunn Master

        Gabe -


        Try adding PluginID < 800000 to the filter on all vulnerabilities. That will filter out any compliance and event based results.


        Or use Plugin Type to filter on Active or Passive. Using that filter you will need to create more than one alert.

  • Re: Assistance Creating an Alert
    zaneta22 Expert

    You may have to create more than one alert and this seems like this also seems like a better option.

  • Re: Assistance Creating an Alert
    gverrault Novice

    I do have the alert filtered on the plugin type being Active.  It does seem that for the alerts to work the way that we want them to I would have to manually create an alert for each plugin (or create a single alert and modify the plugin ID).  The problem I run into with this is that if I am supposed to be creating an alert that matches the criteria for what we want support tickets created for I would be creating a couple hundred alerts.  It would be nice if there was some way for the alert to function almost like an iterator in the reports but clearly that function does not exist and I doubt it would be feasible to have implemented.