RSA Admin

Will alert fire when the view it's in is restarting?

Discussion created by RSA Admin Employee on Jun 15, 2010
Latest reply on Jun 16, 2010 by RSA Admin

I have a correlated alert ( no multi-threading, no threshold) which is supposed to be triggered by the following messages: Security_624_Security; Security_624_Security:01; Security_624_Security:02.  I think what happened is that the view the alert is in was restarted, while it was restarting aSecurity_624_Security:02 came in and this didn't trigger an alert b/c the view was not done restarting yet?  Does that sound right? I included what I think are the relevant log messages. Any thoughts or alertnative theories would be appreciated.

 

2010/06/02 08:50:05.068 CDT %NIC-5-608023: Alerter, Alerter, -, -, -, -, Detail: 2732: 1129 Requesting view=Windows Alerts to reset

 

2010/06/02 08:50:47.109 CDT %NICWIN-4-Security_624_Security: Security,rn=1700813 cid=0x00000007 eid=0x00000270,Wed Jun 02 08:51:04 2010,624,Security,domain1/user1,Success Audit,hostname1,Account Management,,User Account Created: New Account Name: user2  New Domain: domain2 New Account ID: None  Caller User Name: user1  Caller Domain: domain1  Caller Logon ID: (0x0,0xE3F71CE)  Privileges -  Attributes: Sam Account Name: user2  Display Name: <value not set>  User Principal Name: -  Home Directory: <value not set>  Home Drive: <value not set>  Script Path: <value not set>  Profile Path: <value not set>  User Workstations: <value not set>  Password Last Set: <never>  Account Expires: <never>  Primary Group ID: 513  AllowedToDelegateTo: -  Old UAC Value: 0x190030  New UAC Value: 0xB8  User Account Control:     'Temp Duplicate Account' - Enabled    'Workstation Trust Account' - Enabled    'Don't Require Preauth' - Disabled    'Undefined UserAccountControl Bit 19' - Disabled    'Undefined UserAccountControl Bit 20' - Disabled  User Parameters: <value not set>  Sid History: -  Logon Hours: <value changed, but not displayed>

 

2010/06/02 08:52:01.646 CDT %NIC-1-919010: domain3:ENVISION-AS1 stamp=Jun 02 08:50:05 type=1601 level=4 niccategory=99 event_category=9999999999 addr=y.y.y.y deviceclass=SYSTEM msg_id=608023 view_id=e138ca21-74be-4abb-a891-79f30e499c58 view_name=NIC_View device_id=326bd243-69f2-4ebf-a40d-d19f7308b267 lp=x.x.x.x:5367:4176285452 status=0 coreid=ve138ca21-74be-4abb-a891-79f30e499c58_c1998_NIC_ALERTER_201006020852010004 ipmatch=0 ip_addr_1= ip_count_1=0 ip_addr_2= ip_count_2=0 ip_addr_3= ip_count_3=0 device_type=100 source_ipr= destin_ipr= msg=%NIC-5-608023: Alerter, Alerter, -, -, -, -, Detail: 2732: 1129 Requesting view=Windows Alerts to reset

 

Matt

Outcomes