Entity Monitoring State

Introduction

In TrackMe, all entities have a field defining the “monitoring status”. This field is a persistent field stored in the KVstore named “monitored_state” which expects two possible values:

  • enabled: the entity is actively monitored

  • disabled: the entity remains but is not considered actively nor leading to alerts

screen1.png

Purposes of Monitoring Status

The Monitoring Status field serves the following purposes:

  • The TrackMe main user interface filters by default on entities which are actively monitored

  • Entities can be disabled and hidden from the main UI without being deleted

  • TrackMe alerts only consider entities which are actively monitored

Use Cases for Monitoring Status

There are different conditions where this feature can be useful:

  • The Hybrid Tracker data scope means some entities are out of interest are discovered, and these entities should not be considered anymore

  • A given entity representing a data provider has issues that cannot be addressed at the moment, and you want to fully exclude these entities without permanently deleting them

TrackMe User Interface

The main user interface filters out by default on monitored entities. However, currently disabled entities are accounted for in an informative single view, and you can also ask TrackMe to reveal entities that are currently disabled.

Drilldown: click on the single view, this automatically filters out on disabled entities:

screen2.png screen3.png

You can ask TrackMe to include disabled entities in the Tabulator:

screen4.png

You can use the the filter function to only show disabled entities in the Tabulator:

screen5.png

Updating the Monitored State

You can enable or disable the monitoring state on a per-entity basis, via bulk editing and as well via the REST API endpoints.

Enabling / Disabling an entity

Open the entity main screen and click on Enable / Disable:

screen6.png

Enabling / Disabling in bulk

Select one or more entities, click on the bulk action button:

screen8.png screen8.png

Enabling / Disabling in REST

Open the REST API user interface to find the endpoint associated with the component, you can enable / disable multiple entities at once:

| trackme url="/services/trackme/v2/splk_dsm/write/ds_monitoring" mode="post" body="{'tenant_id': 'feeds-tracking', 'action': 'disable', 'object_list': 'eventgen-firewall:netscreen:firewall|key:region;company|emea;unknown,eventgen-firewall:netscreen:firewall|key:region;company|unknown;company001'}""
screen9.png