Version

Argent for Compliance — all versions

Date

11 Jun 2013

Summary

Customers who have recently migrated from Argent Data Consolidator (XT) to Argent for Compliance (AT) may complain about receiving thousands of similar alerts in Argent for Compliance, when they only received one consolidated alert in Argent Data Consolidator

Technical Background

The default behavior of Argent for Compliance is to fire a separate Alert for each event

The registry COMBINE_ALERTS_ON_LOG_EVENT controls this behavior.

When the value is 0 — this is the default behavior to fire separate Alerts for each event

When the value is 1 — Argent for Compliance combines Alerts for Windows Events by sending one Alert for the same events, and lists all matching Event Times that were found in the last scan.

(All other values are treated as 0)

Important Note: Argent AT and Argent XT have a different definition of “the same events”.

Argent XT sees events as “the same” if events have the same Event ID, Event Source and Event Category.

Argent AT sees events as “the same” if events have the same Event ID, Event Source, Event Category, and Event Body

For some customers, the extra check by Argent AT against the ‘Event Body’ causes additional unwanted alerts that they are not accustomed to.

Windows Event Log Rules in Argent for Compliance 3.1-1307-A have been enhanced with the option> to choose between the native Argent AT or Argent XT definition of “the same event”:

Click For Full Size

Resolution

Upgrade to Argent AT 3.1A-1307-A