Forum Discussion
Stale security event / Windows firewall reporting
Hi glenmcleroy , it is a very common issue with monitoring systems, not just security. End point inactivity tends to be variable. I think that the way to tackle that is to start from the response process. i.e. what will you do if you don't get events from an endpoint for a day? Probably nothing.
Therefore, I would suggest setting up a fix time period after which you start getting "worried" and check things. A week? Two weeks? A rule that fires if events have not been observed for that period would be a good solution. You can have a playbook triggered that asks the user if things are OK and closes the incident automatically if he confirms.
Lastly, you will probably need a white list that will prevent triggering on known unresponsive computers. We will publish a blog on how to do that shortly.
MicrosoftHi glenmcleroy , it is a very common issue with monitoring systems, not just security. End point inactivity tends to be variable. I think that the way to tackle that is to start from the response process. i.e. what will you do if you don't get events from an endpoint for a day? Probably nothing.
Therefore, I would suggest setting up a fix time period after which you start getting "worried" and check things. A week? Two weeks? A rule that fires if events have not been observed for that period would be a good solution. You can have a playbook triggered that asks the user if things are OK and closes the incident automatically if he confirms.
Lastly, you will probably need a white list that will prevent triggering on known unresponsive computers. We will publish a blog on how to do that shortly.