2 Replies Latest reply on Sep 12, 2019 1:15 PM by curtisi

    DNS Server Audit - Email alert

    venkythiru

      Hi there, I am trying to setup email alert for DNS record update alerts. In the action tab, I am targeting to Host incidents as we trying to get alert from internal DNS server if there are any DNS records update. After I tested, I dont see any email alerts to my email. Please let me know if I have to make any changes in the rule, hope to hear from you. Rule screenshot is mentioned below-

       

        • Re: DNS Server Audit - Email alert
          jhynds

          Do you have a sample of the log entry that you want to base your rule on? Once I see the associated fields with that particular entry I can advise on the rule & alert.

          • Re: DNS Server Audit - Email alert
            curtisi

            The correlation appears to be looking for a "HostIncident," which can only be generated by the LEM itself.  Unless you have another rule that looks for those DNS events under the appropriate taxonomy, like an ObjectAudit or other event calls, and makes a host incident, your rule will probably never fire.  Seeing how the SEM is normalizing the event so the appropriate correlations can be chosen will help.