I’m currently dealing with an issue where I’m not able to create monitoring for not-logging event sources. I would like to run a check, for example once a month, and receive an email notification listing event sources that have not logged any data for 30 days.
I’m aware of the API options, but would it be possible to achieve something like this using an automation workflow? Or is there any other straight-forward way to achieve this? I’m still relatively new to Rapid7, so I may be asking something basic.
This would typically be done under Basic Detections as a Log Inactivity Detection Rule. These would trigger if a specific log source has not received data in X amount of time.
Personally I don’t see any type of event source that I’d want to wait until the 30 day mark to be alerted on, but that’s not my place to provide feedback on your environment. This method wouldn’t be a consolidated alert or report, but it would trigger on individual logs after 30 days of inactivity.
Hello. I’ve enabled the Basic Detections Rule and it did work. Problem was the alert did not supply enough information to identify the event source that was not sending logs. Support couldn’t help, so I submitted a “feature request” (idea).