Filtering alerts

Similar Messages

• IPS sample question discussion

  Hi
  I am preparing for IPs and got confused with the below question. Please advise.
  Q : A new sensor is generating a great deal of false positive alerts on the web servers. Which two action will help to reduce the amount of the false positives. (choose two)
  A. Create a policy that denies attackers inline and filters alert for event with high risk ratings.
  B. Lower the severity level of the signatures that are generating the false positives.
  C. Lower fildility rating of signatures that are generating the false postives.
  D. Raise the Target Value Rating for your web servers.
  E. Create a filter that filters out any alert whose target address is that of one of your web servers.
  Answers provided : A,D
  But I feel "A" & "D" will not do any thing do to reduce the false postive generating and there could be denying of legitimate traffic also.
  As per me , Answer should be "B" and "E" .
  In fact we should be defining event action over rides (instead of filters), "not to produce alert" for events with lower risk rating.
  PLEASE SHARE YOUR VIEWS :-)

  Hi ... please post your questions to the Career certifications forum !!! they will be able to help you with any questions you need for your exam preparation !!!

• Customizable Email Filters w/ Alerts in IOS8?

  Hi, I have an iphone5s which I bought after I lost my BB10 powered Z10.  On the Z10, there was an app that let me customize alerts according to filters I could set, either according to email address of the incoming email, or things like text strings found in the body or subject.  To some degree you could do this in the OS as it came.
  I have an online business for which I need to know about specific communications during the day, but don't want to be distracted by all of them.  For example, one email account might receive messages with "contact form" in the subject from my "info@[mywebsite]", and I want to hear a specific alert for this.  Another address receives two forms of communication from a specific email address (the payment gateway).  One is the daily settlement report.  The other is whenever a transaction fails. I want to play different alerts according to the text in the email -- ie, does it contain "settlement report" or does it contain "transaction failed"-- and play different alerts depending on the situation.  I also have a few customers who are volunteering to be "testers" who send feedback and others who are special cases for whom I often need to review their orders before they get filled by some other people.  I need to intercept these.. if only I could play an alert according to the text "order #" for example, or a regular expression in general.
  I'm really surprised that in 2014 I could not find a way to do this in IOS7 and I'm hoping that Apple will start adding feature conducive to business. I can't imagine holding out any longer when I upgrade in a few months.  Apple if you're listening, what wins me over are features and the ability to customize.  These are so easy to implement, why not just do it?  I'm such a low-hanging-fruit easy sale if you would just copy what's been done already on BB and Android. Please support filtering according to regular expression filter syntax

  This is a user-to-user support forum and not the best way to give a request or suggestion to Apple. You may want to make the suggestion at: https://www.apple.com/feedback/iphone.html

• Alert log filtering examples

  Hello.
  Following the Oracle Note Monitoring 10g Database Alert Log Errors in Enterprise Manager [ID 976982.1], I am trying to include some exceptions in the alert log filtering tool but I was looking for more examples. Does anyone have any?
  Oracle Enterprise Manager 10g Release 5 Grid Control     10.2.0.5.0

  For example, if I want to filter out any 0600 errors that contain the qctVCO:csform argument, would this be appropriate?
  .*ORA-0*(54|1142|1146)\D.*|.*ORA-00600:.*\[qctVCO:csform][^\]]*\].*
  Do we need to pipe for each successive ORA error, as above?
  Thanks,

• Customizable Email Filters w/ Alerts - App Failure!

  Does this make the iPhone almost useless to anyone else? I would expect after the amount of time that the iPhone has been out that the developers would have added some sort of feature to create custom alerts for emails using filters.
  I work for a large corporation and use my phone as a pager to wake me up when I get certain emails or pages.
  I recently purchased an iPhone to use as my work phone only to find that there is no way to do this other than an app like MailTones which requires that you forward your emails through their server which I do not feel comfortable doing. This should be a built in feature!
  Does anyone know if this is going to be added, or if it is even being considered for the future?

  You are correct that I should have checked into it a bit more and there are various ways around it that I can use such as setting alerts to all of the messages in my inbox to wake me up but that will wake me more than I would like.
  There are others in our company using their iPhone as their work phone/pager and it works for them but I guess our group is more attentive to some of the alerts we get. If I wait long enough, these alerts can turn into a real problem and I will get a call from our Network Operations Center. I would simply like to avoid the NOC ever knowing that there is an issue. We like to fix things before they impact users.
  I for for a major news company. We support the application layer of functionality that is behind everything that gets videos, stories, content, etc... to the public and onto the web or TV.
  We have automated monitoring systems that send us alerts which we filter prior to getting them on the iPhone. So even being able to make one folder alert differently from another would be sufficient.
  I'm sad to hear that we do not have any official apple support on this forum. I was in hopes of hearing from a developer or someone of the like...
  Don't get me wrong, I love the iPhone. I have a Pre as my personal phone and I love them both but it just seems that they would have added this feature by now. Also being able to mark all messages as read seems like a elementary feature that should be included.

• Filtering verbose alerts

  Greetings all. I'm having some difficulties implementing event filters for a 4215 running 5.0.4.
  1. I've globally enabled verbose alerting via the CLI by doing
  # service event-action-rules rules0
  # overrides produce-verbose-alert
  2. I want to filter 'TCP SYN Port Sweep' (3002 0) so it doesn't get logged to the idsEventStore. I've created the following single filter,
  # service event-action-rules rules0
  # filters insert foo begin
  # signature-id 3002
  # subsignature-id-range 0-10
  # actions-to-remove produce-verbose-alert
  # filter-item-status Enabled
  # stop-on-match True
  I save my changes and when running local scans I see the event still being logged but WITHOUT the triggerPacket info. OK, I edit the rule and change to
  # actions-to-remove produce-alert
  run scans again and the event appears in the idsEventStore WITH the triggerPacket.
  It appears I have to create two identical filter rules, first one with
  # actions-to-remove produce-verbose-alert
  next one with,
  # actions-to-remove produce-alert
  in order to completely filter 'TCP SYN Port Sweep' from the idsEventStore and I don't see it. So my question to the group is,
  How does one create a single event filter rule to drop verbose alerts? Note: I need to have produce-verbose-alert set globally for troubleshooting.
  Thanks in advance for the assistance.

  When creating a filter you can specify multiple actions to remove. In IDM you hold down the control key to select each additional action. In IDM I think you put a "|" between each action you want to remove: "produceAlert|produceVerboseAlert".
  You will need to use the one filter to remove All actions that produce any kind of alert.
  So you need to remove the following actions at a minimum:
  produceAlert
  produceVerboseAlert
  requestSnmpTrap
  logAttackerPackets
  logVictimPackets
  logPairPackets
  The last 5 actions above will force an alert to be produced Even if produceAlert has been filtered out. So you have to remove them as well. This is sort of stated in the IDM guide:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/idmguide/dmevtrul.htm#wp1062278
  But was not made clear in the CLI guide.
  If you want to prevent all the actions (including those that don't produce an alert) then enter every action in the actions to remove section.
  (NOTE: This is much easier to do in IDM. You select the top action, Hold down Shift key, and select the last action, and all the actions will be selected for removal).
  It sounds like you are not interested in the 3002 signature at all. If this is the case, then the simplest thing to do is to just Disable the signature, and not worry about the filters.
  The filters shoudl really only be used if you want to filter for specific address ranges, or want to filter out some but not all of the actions.
  If you want to filter out All actions for All ip addresses, then just Disable the signature instead.
  It will save on internal processing within the sensor.

• IPS - Event Action Filters. Which alerts do you supress

  Currently we have three IPS sensors consolidating all of our information into MARS and it is working quite well.
  The question that I am wondering is if anyone has a suggestion for what is the best practice for tuning signatures at the IPS appliances and what alerts to surpress.
  For example, our internal IPS has fired off a signature in regards to network scanning from our Orion NPM server. In the past I would filter out all alerts from this source IP to respective destination networks.
  Looking at things again, is it best to just surpress the alert and still log the packets, or just remove all of the alerts, packet logging, etc. because it is a false positive.
  Thanks in advance,
  Matt

  I think everyone has a different opinion about where and how to best tune the "SIM" environment. My 2 cents...
  Think about how many places you'd have to make a change in order to effectively tune out what your after.
  Reserve your MARS drop rules for more "broad" filtering that would otherwise require changes to multiple devices and device types. For example, you might have a drop rule for all devices that perform network management-like processes. These devices can create lots of firewall accept (and sometimes denies). Lots of netflows. They often trigger various IDS signatures. This is perfect for a MARS drop rule. Some changes may only require a change in one place (i.e. tune one reporting device). Cisco IDS alarms are a common one. You have a specific signatures triggering a single rule in MARS. In this situation, if you have the ability to do it(time,know-how,access to device,etc), do your tuning as close to the reporting device as possible. Research alarms and tune on the sensor itself. Disable irrelevant or false-positive prone signatures. Create event filters where necessary.

• Filters used in BAM Alerts

  I am using BAM 11.5 and I am trying to use an alert that has a lookup field as a filter? Is this possible? When I use the lookup field, the alert does not get triggered. My goal is for the alert to send one email message to the employee per travel requestid. To do this, I was attempting to use sequenceID as a filter. Even though approver and sequenceID are dynamic, there will always be a sequence 1 for each travel request.
  My data object that has the lookup fields look like this:
  TravelID LATEST RequestStatus approver sequenceID TravelLateDate employee
  TR000012 Y SUBMIT jstein 3 11/22/2012 12:00:00 AM jcooper
  TR000012 Y SUBMIT wfaulk 2 11/22/2012 12:00:00 AM jcooper
  TR000012 Y SUBMIT cdickens 1 11/22/2012 12:00:00 AM jcooper
  approver and sequenceID are lookup fields to another data object
  I am using "When a data field in a data object meets specified conditions"
  The filter looks like this:
  LATEST is equal to Y
  TravelLateDate is less than or equal to NOW()
  RequestStatus is equal to SUBMIT
  sequenceID is equal to 1
  Using sequenceID the alert does not get triggered. If I take out the sequenceID from the filter, the alert gets triggered, and an email is sent to the employee for that travel request. However, sometimes the employee gets mulitiple e-mails depending how many approvers there are for the travel request. Sometimes it only sends one e-mail even though there are several approvers. This seems to be intermittent.
  Is there a way to work around this or is there a better way to send the email? Does the alert only get triggered when the travel request is submitted or can it get triggered when the TravelLateDate has passed? So if an employee enters a travel request today(11/20/2012), and the late date is 11/24/2012 will the alert get triggered on 11/24/2012? If not, how can this be accomplished?
  Thanks
  Judy

  If you want the email to only be sent once, you'll need to create a rule that will send based off of when the row gets created. It would also be possible to create a custom Java action that has the logic to only send one email per row, regardless of when it is created.
  If you don't need the email to be sent just once, you can create a rule that runs on a scheduled basis (maybe once a day). Then have that rule just call another rule that will check the rows in your data object to see which need an email sent.

• Unix Log Monitoring regular expression not picking up alerts

  Hi,
  We are moving our unix monitoring to SCOM 2012 SP1 rollup 4.
  What I have got working is indvidual alert logging of Unix Log alerts by exporting the MP and changing the <IndividualAlerts> value to true and removing the suppression xml section then reimporting the MP.
  What I am trying to do is use the regular expression to peform the suppression of specific event (such as event codes).
  The expression is:
  ((?i:warning)(?!(.*1222)|(.*1001)))
  ie Search the log for "warning" (not case sensitive) then check if events 1222 or 1001 exist if so return no match, if they dont exist then return true. 
  I use the built in test function in SCOM when creating the rule and the tests come back as expected but when I inject test lines into the unix log, no alerts get generted.
  I suspect it could be the syntax not being accepted on the system (its running RedHat 6 )
  I have tested this with regex tools and works.
  When I try and test it on the server i get:
  [root@bld02 ~]# grep ((?i:Warning)(?!(.*1222)|(.*1001))) /var/log/messages
  -bash: !: event not found
  [root@bld02 ~]# tail /var/log/messages
  Nov 13 15:07:26 bld02 root: SCOM Test Warning Event ID 1001 Round 18
  Nov 13 15:07:29 bld02 root: SCOM Test Warning Event ID 1000 Round 18
  Nov 13 15:07:35 bld02 root: SCOM Test Warning Event ID 1002 Round 18
  So I am expecting 2 alerts to be generated.
  SCOM tests to show expression working:
  Test 1 Matching
  Test 2 to exclude
  Need some help with this, Thankyou in advance :)

  Hello,
  Here's an example of modifying the MP to exclude particular events.  Firstly, I created a log file rule using the MP template that is fairly inclusive - matching the string Warning (with either a lower or upper case W).
  I then exported the MP, and modified the rule.  I set the IndividualAlerts = true and removed the AlertSuppression element, so that every matched line will fire a unique alert.  You don't have to remove the AlertSuppression, but you should use
  Individual alerts so that the exclusion logic doesn't exclude concurrent events that you actually want to match.
  Implementing the exclusion logic involves the addition of a System.ExpressionFilter definition in the rule. This will use a conditional evaluation of the //row element of the data item.  Here's an example of a dataitem matching an individual row:
  <DataItem type="System.Event.Data"time="2013-11-15T10:33:14.8839662-08:00"sourceHealthServiceId="667FF365-70DD-6607-5B66-F9F95253B29F">
  <EventOriginId>{86AB962D-2F44-29FD-A909-B99FF6FEB2C5}</EventOriginId>
  <PublisherId>{EC7EA4B1-0EA5-7E8E-701F-82FEF3367BC4}</PublisherId>
  <PublisherName>WSManEventProvider</PublisherName>
  <EventSourceName>WSManEventProvider</EventSourceName>
  <Channel>WSManEventProvider</Channel>
  <LoggingComputer/>
  <EventNumber>0</EventNumber>
  <EventCategory>3</EventCategory>
  <EventLevel>0</EventLevel>
  <UserName/>
  <RawDescription>Detected Entry: warning 1002</RawDescription>
  <CollectDescription Type="Boolean">true</CollectDescription>
  <EventData>
  <DataItem type="SCXLogProviderDataSourceData"time="2013-11-15T10:33:14.8839662-08:00"sourceHealthServiceId="667FF365-70DD-6607-5B66-F9F95253B29F">
  <SCXLogProviderDataSourceData>
  <row>warning 1002</row>
  </SCXLogProviderDataSourceData>
  </DataItem>
  </EventData>
  <EventDisplayNumber>0</EventDisplayNumber>
  <EventDescription>Detected Entry: warning 1002</EventDescription>
  </DataItem>
  Here is the rule in the MP XML.  The <ConditionDetection>...</ConditionDetection> content was what I added to do the exclusion filtering:
  <Rule ID="LogFileTemplate_66b86eaded094c309ffd2631b8367a32.Alert" Enabled="false" Target="Unix!Microsoft.Unix.Computer" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
  <Category>EventCollection</Category>
  <DataSources>
  <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.VarPriv.DataSource">
  <Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>
  <LogFile>/tmp/test</LogFile>
  <UserName>$RunAs[Name="Unix!Microsoft.Unix.ActionAccount"]/UserName$</UserName>
  <Password>$RunAs[Name="Unix!Microsoft.Unix.ActionAccount"]/Password$</Password>
  <RegExpFilter>warning</RegExpFilter>
  <IndividualAlerts>true</IndividualAlerts>
  </DataSource>
  </DataSources>
  <ConditionDetection TypeID="System!System.ExpressionFilter" ID="Filter">
  <Expression>
  <RegExExpression>
  <ValueExpression>
  <XPathQuery Type="String">//row</XPathQuery>
  </ValueExpression>
  <Operator>DoesNotContainSubstring</Operator>
  <Pattern>1001</Pattern>
  </RegExExpression>
  </Expression>
  </ConditionDetection>
  <WriteActions>
  <WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
  <Priority>1</Priority>
  <Severity>2</Severity>
  <AlertName>Log File Alert: ExclusionExample</AlertName>
  <AlertDescription>$Data/EventDescription$</AlertDescription>
  </WriteAction>
  </WriteActions>
  </Rule>
  I traced this with the Workflow Analyzer as I tested, which shows the logic being applied.  Here is the exclusion happening:
  Here's more info on the definition of an ExpressionFilter:
  http://msdn.microsoft.com/en-us/library/ee692979.aspx
  And more information on Regular Expressions in MPs:
  http://support.microsoft.com/kb/2702651/en-us
  You can also have multiple Expressions in the ExpressionFilter joined by OR or AND operators.
  Also, if you are comfortable with the MP authoring, you can just skip the step of creating the rules in the MP template and just author your own MP with the VSAE tool:
  http://social.technet.microsoft.com/wiki/contents/articles/18085.scom-2012-authoring-unixlinux-log-file-monitoring-rules.aspx
  www.operatingquadrant.com

• Alert set through timer job is not working in sharepoint 2010 as expected

  Hi,
  I create the standard sharepoint alerts through timer job.
  in my timer job, i loop through a list and based on the user value in the alert to field i create alert for the users and the condition for the alert are only when new items are created and something changes in the below view.
  all the properties are set fine. Email triggered on new items additions and on specific daily or weekly summary.
  The view filteration is not working at all:(
  But after the timer job ran and set the alert, if i open the alert settings on UI and without changing anything if i click ok , then the view filteration is happening and alerts are working fine.
  What is wrong here? is it a bug or anything am missing?
  Aruna
  try
  SPList Configlist = web.Lists.TryGetList("Configuration");
  foreach (SPListItem oItem in Configlist.Items)
  ProfilePicker = oItem["ProfilePicker"].ToString();
  ProfileViewer = oItem["ProfileViewer"].ToString();
  string MIS = oItem["MIS"].ToString();
  SPList list = web.Lists.TryGetList(ProfileViewer);
  SPList ProfileList = web.Lists[ProfilePicker];
  foreach (SPListItem oItem in ProfileList.Items)
  frequency = oItem["Frequenzy"].ToString();
  created = (DateTime)oItem["Created"];
  string createdDate = created.ToString();
  createdDate = DateTime.Parse(createdDate).ToShortDateString();
  DateTime today = DateTime.Today.Date;
  string dateonly = today.ToString(); ;
  dateonly = DateTime.Parse(dateonly).ToShortDateString();
  SPFieldUserValue fieldValue = null;
  SPFieldUser UserColumn = (SPFieldUser)oItem.Fields.GetField("Alert_x0020_owner");
  fieldValue = UserColumn.GetFieldValue(oItem["Alert_x0020_owner"].ToString()) as SPFieldUserValue;
  if (fieldValue != null)
  alertowner = fieldValue.User;
  alert = alertowner.ToString();
  //if (createdDate == dateonly)
  SPUser user = web.EnsureUser(alert);
  SPAlert newAlert = user.Alerts.Add();
  newAlert.AlertType = SPAlertType.List;
  newAlert.List = list;
  newAlert.DeliveryChannels = SPAlertDeliveryChannels.Email;
  newAlert.EventType = SPEventType.Add;
  if (frequency == "Daily")
  createDailyAlert(newAlert, list, user);
  else
  createWeeklyAlert(newAlert, list, user);
  catch (Exception ex)
  // Danfoss.Sharepoint.Logger.DanfossLogger.LogToOperations(ex, "Exception occurred in setting the profile alert", 0, EventSeverity.Error, DanfossExceptionCategory.General);
  private static void createDailyAlert(SPAlert newAlert, SPList list, SPUser user)
  newAlert.Title = "My Daily Profile viewer Alert";
  newAlert.AlertFrequency = SPAlertFrequency.Daily;
  newAlert.AlertTemplate = list.AlertTemplate;
  newAlert.AlertTime = new DateTime(DateTime.Today.Year, DateTime.Today.Month, DateTime.Today.Day, 10, 0, 0);
  newAlert.AlertTime = newAlert.AlertTime.AddDays(0);
  SPAlert existingAlert = null;
  newAlert.Properties.Add("filterindex", "4");
  newAlert.Properties.Add("viewid", list.Views["Daily Alert"].ID.ToString("D"));
  newAlert.Properties.Add("filterpath", string.Format("{0}/", list.Views["Daily Alert"].ServerRelativeUrl.TrimStart('/')));
  foreach (SPAlert alerts in user.Alerts)
  string al = alerts.AlertFrequency.ToString();
  // Filter down the alert to the list you wish to report on.
  if (al == "Daily")
  // Found your existing your custom alert. Don't create one.
  existingAlert = alerts;
  if (existingAlert == null)
  newAlert.Update(false);
  private static void createWeeklyAlert(SPAlert newAlert, SPList list, SPUser user)
  newAlert.Title = "My weekly profile viewer Alert";
  newAlert.AlertFrequency = SPAlertFrequency.Weekly;
  newAlert.AlertTemplate = list.AlertTemplate;
  newAlert.AlertTime = new DateTime(DateTime.Today.Year, DateTime.Today.Month, DateTime.Today.Day, 10, 0, 0);
  newAlert.AlertTime = newAlert.AlertTime.AddDays(0);
  SPAlert existingAlert = null;
  newAlert.Properties.Add("filterindex", "4");
  newAlert.Properties.Add("viewid", list.Views["Weekly Alert"].ID.ToString("D"));
  newAlert.Properties.Add("filterpath", string.Format("{0}/", list.Views["Weekly Alert"].ServerRelativeUrl.TrimStart('/')));
  foreach (SPAlert alerts in user.Alerts)
  string al = alerts.AlertFrequency.ToString();
  // Filter down the alert to the list you wish to report on.
  if (al == "Weekly")
  // Found your existing your custom alert. Don't create one.
  existingAlert = alerts;
  if (existingAlert == null)
  newAlert.Update(false);
  This is my code. alerts are not sending based on the view:(

  Hi sathyaav,
  I followed the example and made a test in my environment, it works like a charm.
  I suggest you check if you have inputed the valid site URL when you create the project solution.
  If you deployed succeed in the Central Administrator Site using Visual Studio, then the job named "Simple Job Definition" will appear in the job definition list.
  Best Regards
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Zhengyu Guo
  TechNet Community Support

• Issue filtering a report (based on narrative view) with a dashboard prompt.

  I used HTML and java-script codes in narrative view to solve the issue of "linking different reports on selecting values from a drop-down". A new issue has cropped up due to that implementation. The issue is that i can't attach a dashboard prompt to such a report. This means, when i put this report on a dashboard page with a dashboard prompt to help filter the report, the report does not gets filtered (it does not seems to be connected to the dashboard prompt).
  Has anyone faced this issue before? If yes, please let me know how to tackle it at the earliest.
  Regards,
  Ramil

  Hi,
  sorry , i could not solve the problem. the below case statement i put in the formula of a date column but i got some syntax error.One more thing is case statement is appearing in the select query not in where condition. Do u mean to say if i will put the same column as is prompted then it will come in where condition.
  Could u plz help me where i am doing wrong .
  case when '@{Period}'='Weekly' then Alerts."Creation Date and Time"  between  '@{PStartDate -7}' and  '@{PStartDate}' end
  [nQSError: 10058] A general error has occurred. [nQSError: 27002] Near <between>: Syntax error [nQSError: 26012] . (HY000)
  SQL Issued: SELECT Alerts."Business Domain(s)", Alerts."Closing Action Type", Alerts.Closer, case when ''='Weekly' then Alerts."Creation Date and Time" between '' and '' end FROM "Common Productivity Reports for Alerts"

• How to get SCOM alerts and send single summary email of one's that have breached.

  Hi,
  I'm trying to create a runbook which does as the title suggests, ie I want to get the 'Active' alerts from the console which have breached our SLA, which is No Critical or Warning alerts in resolution state of New for more than 24 hrs, and emails this list
  to an internal Distribution List of all the potential service owners.  Its just intended as a daily email to poke the relevant people not to ignore the console alerts :-)
  I'm able to Get Alerts OK, but from there I'm having diffs.  I have been given a powershell (as I'm no good at Powershell myself) which does the filtering to get the relevant breached alerts, but when I pass output to other activities and ultimately
  to the create/send email, I end up only able to get multiple emails, one be alert which matches the filtering from powershell.  I have appended to a file to check that I can write the alert properties line by line, but for example if Ive 4 alerts then
  I end up with 4 emails - I want one email with each alert detail (severity, Alert name, path,resolutionstate, Days/hrs in breach, Service Owner (custom Field 3) etc).  I have toyed with flattening the output with line breaks and/or commas at various points
  along the activity chain to ftry force a single iteration of te send email but this just messes the format to the point of not being useful.
  So was wondering if anyone could advise if this is possible, esp if able to do it using the standard activities  along with SCOM IP - I'm sure doing it all in powershell it a possible answer but I'm not proficient to do it - unless someone can provide
  said script! :-)
  Another possibility which has crossed my mind is to possible query the OpsMgr DB directly using the Alert ID from Get Alert but haven't tried tht yet.  I think I' stuggling to understand the basic of how the data is passed from activities esp using
  the 'flatten outpout method..  My current runbook has the fllowing activities:
  GetAlert -> Run .Net (powershell for filtering for breaced alerts) -> AppendFile (to Check the alert output) -> Create/Send Email(to send summary email).  What happens is if I have say 4 Breached emails in Console, when I run tester I
  see GetAlert runs Once detail shows it has found 4 alerts), then each activity up the chain runs 4 times so that finally I end up with 4 emails.
  If anyone has any suggestions it would be much appreciated - I can provide any more details/upload pic of current runbook if it helps...
  Thanks...

  Hi thanks for the suggestion.  I've tried playing around with the runbook using the Junction activity infront of the sendmail.  It doesnt appear to do anyting in itself (unless I'm not using it correctly).  The only way I can get the email
  to only send once is if I flatten the output from the returned data behaviour - this works if I flatten at the Get Alert stage without the Junction activity or if I use the junction an flatten it then the email fires once.
  However the problem with this is that each field for each alert is written vertically, so if I have 3 alerts returning 3 pieces of returned data I get:
  <Alert1 datafield1>
  <Alert2 datafield1>
  <Alert3 datafield1>
  <Alert1 datafield2>
  <Alert2 datafield2>
  <Alert3 datafield2>
  <Alert1 datafield3>
  <Alert2 datafield3>
  <Alert3 datafield3>
  wereas I wan the dat to appear in horizonally with each alert details on each row as like when written to a file, ie
  <Alert1 datafield1> <Alert1 Datafield2> <Alert1 DataField3>
  <Alert2 datafield1> <Alert2 Datafield2> <Alert2 DataField3>
  <Alert3 datafield1> <Alert3 Datafield2> <Alert3 DataField3>
  Without the use of flatten, the email which fires once for each alert has the data displayed correctly.  So essentially what I'm hoping to get is all returned alert details one per line/row in the body of the email...
  If theres any easy way to do it withing the orchestrator activities would be great.  Otherwise it looks like I might have to try find a powershell or SQL script to pull back alert data.  Cheers...

• How do I query a SharePoint List using a url and filtering on date?

  I am reading a SharePoint list using jquery.  Everything is working fine
  except for the filter.  Each list item has an expiration date.  I want to retrieve JUST the items that have not expired (Expires > Today) but I can't figure out the url syntax and I've been searching all day for an example and
  can't find one.  Could someone please help?!?  See bold code below.
  Thanks,
  Glen
  $(document).ready(function ()
  <strong>var qryWCFUrl = "/sites/MMTP1/_vti_bin/listdata.svc/MMAlerts?$filter=(Expires gt '08/10/2011')&$orderby=Title";
  </strong> $.getJSON(qryWCFUrl, function (results)
  $.each(results.d.results, function (i, mmAlert)
  itemID = mmAlert.Id;
  mmTitle = mmAlert.Title;
  mmClass = mmAlert.ClassValue;
  //alert("Item="+itemID+" Title="+mmTitle+" Class="+mmClass);
  AddMMStatus(mmAlert.Id,mmAlert.Title,mmAlert.ClassValue);

  Fadi,
  Thanks for your response.  I actually have another version of the code that uses the SP client objects that works.  The problem is site boundries.  Let me give a more complete project explanation.
  I am creating a master page for a new intranet.  As part of this master page, I want to read from an SP list of alerts and post each alert (if not expired) in the SP status bar.  I've gotten this to work with SP client objects and jquery (except
  for the date filter part).  Both of these solutions work fine on the top site level.  BUT when trying it out at the sub-site level, the SP client objects version of my code fails. The jQuery version works except the date filtering.
  I looked at the example from your link and it looks like a bit of a hybrid to my approaches:  JQuery with CAML.  My question is; does this example permit me to access a list in the top-level site from the subsites?  Please excuse my ignorance,
  but I am an EXTREME newbie in this having spent the past 8 years as a VB.Net developer and a little bit of ASP.Net.
  Below are the two different versions of my code in different versions of my master page definition:
  SP Client Object Version
  <script type="text/javascript">
  // <![CDATA[
  ExecuteOrDelayUntilScriptLoaded(LoadAlerts, "sp.js");
  var ctx;
  var currAlerts;
  function LoadAlerts() {
  ctx = new SP.ClientContext.get_current();
  list = ctx.get_web().get_lists('/sites/MMTP1/Lists/').getByTitle('MMAlerts');
  var cmlQry = new SP.CamlQuery();
  var camlExp = '<query><Query><Where><Gt><FieldRef Name="Expires" /><Value IncludeTimeValue="FALSE" Type="DateTime"><Today /></Value></Gt></Where></Query></query>';
  cmlQry.set_viewXml(camlExp);
  currAlerts = list.getItems(cmlQry);
  ctx.load(currAlerts,'Include(ID,Title,Class)');
  ctx.executeQueryAsync(GetAlertsSuccess,GetAlertsFailed);
  function GetAlertsSuccess() {
  var lstEnum = currAlerts.getEnumerator();
  while(lstEnum.moveNext()) {
  var mmAlert = lstEnum.get_current();
  AddMMStatus(mmAlert.get_item('ID'),mmAlert.get_item('Title'),mmAlert.get_item('Class'));
  function GetAlertsFailed(sender,args) {
  alert('Alerts load failed: ' + args.tostring);
  function AddMMStatus(msgID, strTitle, strClass) {
  var statID;
  var statClass;
  var statTitle;
  statClass = "<a href=\"#\" onclick=\"javascript:DisplayAlert("+msgID+");\">" + strClass + ": </a>";
  statTitle = "<a href=\"#\" onclick=\"javascript:DisplayAlert("+msgID+");\">" + strTitle + "</a>";
  statID = SP.UI.Status.addStatus(statClass, statTitle, true);
  SP.UI.Status.setStatusPriColor(statID,"red");
  function DisplayAlert(msgID) {
  var options = {
  title: "Miller & Martin Alert!",
  url: "/sites/MMTP1/SitePages/ShowAlert02.aspx?ID="+msgID,
  allowMaximize: false,
  showClose: true
  SP.UI.ModalDialog.showModalDialog(options);
  // ]]>
  </script>
  JQuery Version (works except for filtering by date)
  <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
  <script type="text/javascript" >
  // <![CDATA[
  var itemID;
  var mmTitle;
  var mmClass;
  $(document).ready(function ()
  var qryWCFUrl = "/sites/MMTP1/_vti_bin/listdata.svc/MMAlerts?$filter=(Expires gt '08/10/2011')&$orderby=Title";
  $.getJSON(qryWCFUrl, function (results)
  $.each(results.d.results, function (i, mmAlert)
  itemID = mmAlert.Id;
  mmTitle = mmAlert.Title;
  mmClass = mmAlert.ClassValue;
  AddMMStatus(mmAlert.Id,mmAlert.Title,mmAlert.ClassValue);
  function AddMMStatus(msgID, strTitle, strClass, strSeverity) {
  var statID;
  var statClass;
  var statTitle;
  statClass = "<div id=\"mmAlertTitle\" style=\"display:inline-block;\"><a href=\"#\" onclick=\"javascript:DisplayAlert("+msgID+");\">" + strClass + ": </a></div>";
  statTitle = "<div id=\"mmAlertDetail\" style=\"display:inline-block;\"><a href=\"#\" onclick=\"javascript:DisplayAlert("+msgID+");\">" + strTitle + "</a></div>";
  statID = SP.UI.Status.addStatus(statClass, statTitle, true);
  SP.UI.Status.setStatusPriColor(statID,"green");
  function DisplayAlert(msgID) {
  var options = {
  title: "Miller & Martin Alert!",
  url: "/sites/MMTP1/SitePages/ShowAlert02.aspx?ID="+msgID,
  allowMaximize: false,
  showClose: true
  SP.UI.ModalDialog.showModalDialog(options);
  // ]]>
  </script>

• How to add a alert filter in ipsmc for version 5 signatures

  I am trying to understand how event or alert filters work in version 5.x. If I use VMS ipsmc to manage the sensors, how do you add a sensor filter for a particular event that we do not want to see appear in the SecMon console any more.
  It looks like you have one of two options however i am not sure of the method to follow. you could edit the signature its self or it seems that you must use “Configuration Settings > Event Actions (IPS 5.x) > SigEvent Action Filters”
  I would like to create a filter from any to a single address host IP address but when I select the add button, I only have the option to specify a range of addresses. Do I just enter the single address in the start field and then leave the finish field blank?
  The filter should “not alert” or “take any action”. How do I exclude certain destination or source IPs from producing an alert?

  We are still trying to get this filter to work. Can anybody give us an example of how it should look on the sensor?
  The sensor filter that we would like to create should “exclude” any source IP, any source port to specific destination hosts on all destination ports (icmp has none) from capturing events and storing them in the event store on the sensor.
  This is the filter that we have so far on the sensor. What’s the problem with it?
  service event-action-rules rules0
  filters edit icmp-w-echo-filter-sensor-sensor-0-D
  signature-id-range 2100
  subsignature-id-range 0-255
  attacker-address-range 0.0.0.0-255.255.255.255
  victim-address-range a.b.c.x,a.b.c.y
  attacker-port-range 0-65535
  victim-port-range 0-65535
  risk-rating-range 0-100
  no actions-to-remove
  deny-attacker-percentage 100
  filter-item-status Enabled
  stop-on-match False
  no user-comment
  exit
  filters move icmp-w-echo-filter-sensor-sensor-0-D begin
  exit

• Not receiving Critical Patch Update  E-mail Notification Alerts - used to

  I am no longer receiving the Security Alert Email Notifications for the Oracle Critical Patch Updates. Also, the instructions on the OTN web page are no longer valid (no longer a Opt-In category). I have the box checked to receive the emails, but for some reason they are no longer being sent. I have checked my "Junk and SPAM" mail folders - not there and they are not being filtered by our company email program. I have a non-technical SR opened with support, but they are not understanding the issue.
  On the
  http://www.oracle.com/technetwork/topics/security/alerts-086861.html#SecurityAlerts page, there is a link (Click here for instructions on how to configure email notifications.) which takes you to
  http://www.oracle.com/technetwork/topics/security/securityemail-090378.html
  This is the URL that we go to to setup or subscribe to Critical Patch Update Alert emails
  Subscribe to Critical Patch Update Alert E-mails
  When going to my account, there is no longer the the Opt-in to Oracle Communications section
  I have
  Subscription Center (Under Subscription Center is)
  Oracle Technology News (under Oracle Technology News is a checkbox for)
  Oracle Security Alerts - Get the latest Security Alerts issued by Oracle as they become available.
  This box is checked and has been for a very long time, but stopped getting the emails. I am not the only DBA who is having this issue where I work - several others have the same problem and it looks like there are more DBA's in the Oracle Community who have same problem
  Thanks for any assistance.

  Also see this related thread - Please help me to get my quarterly CPU alert notification send to me
  Srini