Create alarms

Create an alarm so that it triggers when your defined conditions are met.

Before you begin

Verify that you have administrator rights or belong to an access group with alarm management privileges.


  1. On the system navigation tree, select the system, then click the Properties icon .
  2. Click Alarms, then click Add.
  3. Click the Summary tab to define the general alarm settings.
    • Name the alarm.
    • From the Assignee list, select the person or group to assign this alarm to. This list includes all users and groups with the Alarm Management privilege.
    • In Severity, select the alarm's priority in the alarm log (high is 66–100, medium is 33–65, low is 1–32).
    • Select Enabled to turn on this alarm and deselect the box to turn off the alarm.
  4. On the Condition tab, identify which conditions trigger the alarm.
    Condition Description
    Check Rate Select how often the system checks for this condition.
    Deviation Specify a percentage threshold to check above baseline and a different percentage below baseline.
    • Query — Select the type of data you are querying.
    • Filters icon — Select the values to filter the data for this alarm.
    • Time Frame — Select whether to query the last or previous time period selected in the number field.
    • Trigger when the value is — Select how far above and below the baseline the deviation is before ESM triggers the alarm.
    Event Rate
    • Event Count — Enter the number of events that must occur before ESM triggers the alarm.
    • Filters icon — Select the values to filter the data.
    • Time Frame — Select in what interval the number of selected events must occur before ESM triggers the alarm.
    • Offset — Select how long to offset so the alarm does not include the sharp increase at the end created by aggregation. For example, if ESM pulls events every five minutes, the last one minute of the events retrieved contain the aggregated events. Offset the time period by that amount so the last one minute is not included in the data measurement. Otherwise, ESM includes the values in the aggregated data in the event count, causing a false positive.
    Field Match
    1. Drag and drop the AND or OR icon (see Logic Elements) to set up the logic for the alarm's condition.
    2. Drag and drop the Match Component icon onto the logic element, then complete the Add Filter Field page.
    3. Limit the number of notifications you receive by setting the Maximum Condition Trigger Frequency. Each trigger only contains the first source event that matches the trigger condition, not the events that occurred within the trigger frequency period. New events that match the trigger condition do not cause the alarm to trigger again until after the maximum trigger frequency period. For example, if you set the frequency to 10 minutes and an alarm triggers five times within a 10-minute period, ESM sends a single notice containing 5 alarms.
      Note: If you set the interval to zero, every event that matches a condition triggers an alarm. For high frequency alarms, a zero interval can produce many alarms.
    Health Monitor Status Select the types of device status changes. For example, if you select only Critical, you are not notified if there is a health monitor status change at the Warning level (see health monitor signature IDs).
    Internal Event Match
    • Trigger when value does not match — Select to trigger the alarm when the value doesn't match your setting.
    • Use Watchlist — Select if a watchlist contains the values for this alarm.
      Note: Values containing commas must be in a watchlist or in quotes.
    • Field — Select the type of data this alarm monitors.
      Note: For alarms that trigger when a health monitor event is generated, see Add health monitor event alarms.
    • Value(s) — Type the specific values of the type selected in Field (limited to 1,000 characters). For example, for Source IP, enter the actual source IP addresses that trigger this alarm.
    Maximum Condition Trigger Frequency Select the amount of time to allow between each condition to prevent a flood of notifications.
    Threshold Event Delta condition type only — Select the maximum allowed delta for the analyzed events before the alarm triggers.
    Type Select the alarm type, which determines the fields you must fill in.
  5. On the Devices tab, select which devices this alarm monitors.
  6. On the Actions tab, identify what happens when the alarm triggers.
    Action Description
    Log event Create an event on the ESM.
    Auto-acknowledge Alarm Acknowledge the alarm automatically, right after it triggers. As a result, the alarm doesn't appear on the Alarms pane but the system adds it to the Triggered Alarms view.
    Visual alert Generate an alarm notification on the bottom right of the console. To include an audio notification, click Configure --> Play Sound, then select an audio file.
    Create case Create a case for the selected person or group. Click Configure to identify the case owner and to select which fields to include in the case summary.
    Note: If you plan to escalate alarms, do not create cases.
    Update watchlist Change watchlists by adding or removing values based on the information contained in up to 10 alarm-triggering events. Click Configure and select which field from the triggering event to append to or remove from the selected watchlist. When these settings change a watchlist, the Actions tab on the Triggered Alarm view shows the change.
    Note: This action requires Internal Event Match as the condition type.
    Send message Send an email or SMS message to the selected recipients.
    • Click Add recipient, then select the message recipients.
    • Click Configure to select the template (for email, SMS, SNMP, or syslog messages) and the time zone and date format to use for the message.
      Note: Using the following characters in alarm names might cause issues when sending SMS messages: comma (,), quotation marks ("), parenthesis ( ), forward or backward slash (/ \), semicolon (;), question mark (?), at symbol (@), brackets ([ ]), more than and less than signs (< >), and equal sign (=).
    Generate reports Generate a report, view, or query. Click Configure, then select a report on the Report Configuration page or click Add to design a new report.
    Note: If you plan to email a report as an attachment, check with your mail administrator to determine the maximum size for attachments. Large email attachments can prevent a report from being sent.
    Execute remote command Execute a remote command on any device that accepts SSH connections, except McAfee devices on the ESM. Click Configure to select the command type and profile; time zone and date format; and the host, port, user name password, and command string for the SSH connection.
    Note: If the alarm condition is Internal Event Match, you can track specific events. Click the Insert variable icon and select the variables.
    Send to Remedy Send up to 10 events to Remedy per triggered alarm. Click Configure to set up the information required to communicate with Remedy: from and to data, prefix, keyword, and user ID (EUID). When events are sent to Remedy, ESM adds Sent events to Remedy to the Actions tab on the Triggered Alarm view. This action requires Internal Event Match as the condition type.
    Assign Tag with ePO Apply McAfee ePolicy Orchestrator tags to the IP addresses that trigger this alarm. Click Configure and select the following information:
    • Select ePO device — Device to use for tagging
    • Name — Tags you want applied (only tags available on the selected device appear on the list).
    • Select the field — Field to base the tagging on.
    • Wake up client — Apply the tags immediately.
    Note: This action requires Internal Event Match as the condition type.
    Real Time for ePO Actions Perform actions from McAfee Real Time for McAfee ePO on the selected McAfee ePO device.
    Note: This option requires the McAfee Real Time for McAfee ePO plug-in (version or later) and that the McAfee ePO server recognizes that device as one of its endpoints.
    Blacklist Select which IP addresses to blacklist when an alarm triggers. Click Configure and select the following information:
    • Field — Select the type of IP address to blacklist. IP address blacklists both source and destination IP addresses.
    • Device — Select the device where you want the IP addresses blacklisted. Global adds the device to the Global Blacklist.
    • Duration — Select how long to blacklist the IP addresses.
    Note: This action requires Internal Event Match as the condition type.
    Custom alarm summary Customize the fields that are included in the summary of a Field Match or Internal Event Match alarm.
  7. On the Escalation tab, identify how to escalate the alarm when it is unacknowledged within a certain time.
    Escalation Description
    Escalate after Enter the time when you want the alarm to be escalated.
    Escalated assignee Select the person or group to receive the escalated notification.
    Escalated severity Select the severity for the alarm when escalated.
    Log event Select whether to log this escalation as an event.
    Visual alert Select whether the notification is a visual alert. Click Play sound, then select a file if you want a sound to accompany the visual notification.
    Send message Select whether to send the assignee a message. Click Add recipient, select the type of message, then select the recipient.
    Generate reports Select whether to generate a report. Click Configure to select the report.
    Execute remote command Select whether to execute a script on any device that accepts SSH connections. Click Configure, then fill in the host, port, user name, password, and command string.