I need help in rule creating
I need to create rule which will generate incidents in case of disabling cisco device. For example, events were sending by cisco swithes. And one of cisco switch damaged and I can't receive events from it How can I find this switch?
System state monitor rule doesn't work in this case because I have 1 agent, 1 collector, 1 sensor and many cisco switch. Collector sends events from cisco but I have a lot of switch and I want to find only one (damaged) switch