Data Loss Prevention

 View Only
  • 1.  Syslog message when Incident Status Changes

    Posted Sep 22, 2016 05:47 PM

    Is there a way to send a Syslog message to the Syslogserver when an Incident Status is changed?



  • 2.  RE: Syslog message when Incident Status Changes
    Best Answer

    Trusted Advisor
    Posted Sep 23, 2016 02:51 AM

    hello chad,

     yes it is possible :

    - you first have to create a smart response rule which include two actions :

    - status change

    - syslog notification

    then you have to update all roles which have to use this response rule in order to alow them to execute this response rule. So now they will have access to these response rule in detail incident page. And (may be not the easiest part) you have to train user to use these response rule instead of "Status" drop down menu. So each time user will change status using response rule, both action will be executed status change and syslog notification. YOu could also add other type of action like an automatic email notification.

     You have to create one response rule per status defined in your system, But it is not possible to do this on status change using drop down menu.

     Regards.



  • 3.  RE: Syslog message when Incident Status Changes

    Posted Sep 23, 2016 04:34 AM

    @Stephane, how do you create that response rule? I can't see that option of status change on 12.5v.



  • 4.  RE: Syslog message when Incident Status Changes

    Trusted Advisor
    Posted Sep 23, 2016 05:53 AM

    it is available in "Manage/Policy/Response rule" menu, you choose to create a "smart response rule" (not automatic) and then in action menu you should have something about status



  • 5.  RE: Syslog message when Incident Status Changes

    Posted Sep 23, 2016 10:57 AM

    Is there a Status attribute that can be used when creating the syslog message?

     

    I tried $STATUS$ but that didn't work.



  • 6.  RE: Syslog message when Incident Status Changes

    Trusted Advisor
    Posted Sep 23, 2016 01:02 PM

    it seems it is not available (admin guide v14 P.926 )...

    If you create one response rule per status you could set it by hand in syslog message...