Hello,

Thank you very much for your answer.
We've followed the procedure you mentioned but we are having some trouble.
We are receiving alarms of data sources that are not failing, let me give you an examples:

Correlation Data Source:

Note: We configured threshold of 15 minutes for Correlation Data Source.

1. As you can see from the screenshot (Alarm_Trigger_Data_Source_Correlation.PNG) we had an alarm trigger for the "Correlation" Data Source at 19 Oct 2022 12:06:50pm.
2. If we check the event graphics (Events_Data_Source_Correlation_1.PNG,Events_Data_Source_Correlation_2.PNG) we can see that there is not a time in which this log source fails for 15 minutes.
3. This situation keeps repeating. We keep receiving alarms and not seeing data source failure for 15minutes.

What do you think that is causing this issue?
Is 15 minutes a threshold too short for the SIEM to handle? Do you know if there are any other causes for this?
I've attached the alarm configuration and Inactivity Settings for this example I gave you.
Could you help us with this situation?

Thank you very much.
Best regards,
Goncalo

Here is the rest of the attachments

More attachments

Last attachments

Hi Edgar,

I did not ask your version but will assume you are on v11.x

I believe the inactivity alarms are firing on the ESM. So if the events are coming in on a receiver or correlation engine but the ESM does not have them, the Idle alarm will fire.

So if you have an alarm set for 15 minutes inactivity and the auto-publish time for the device is 15 minutes or more , then you are likely to have false positive.

Thanks

Dorothée

Hello,

I verified what you said and you are right.

Thank you so much for your help.

Best regards,

Goncalo