The Agent Potentially Uninstalled alarm is one of the default alarms provided in all accounts. This alarm is triggered if a user attempts to uninstall their agent. Below is a step-by-step guide on how we created this alarm.
1. Navigate to the Alarms > Configuration on the Dashboard and click on Create New Alarm, type in a title such as "Agent Likely Uninstalled" and select Security Audit.
2. Once the new alarm page has been brought up, you will see the title you created in the top left.
3. Under conditions, selecting Match Any will trigger the alarm if any of the conditions are met. For this example, we have selected the conditions Description is Equal To "Agent Successfully Uninstalled" as well as Event Name is Equal To UninstallAgentRemotely. These two actions appear in the Security Audit Log and you will be notified if you select to receive an e-mail.
4. For a Security Audit Alarm an email notification can be set up. Select a recipient and email subject and create an email body. We have provided an example for you to copy below. Keep in mind that anything with "$" around it, (For example, $Time$) is a variable, and when the email is sent, it will have this information properly filled out.
$AlarmName$ $Time$ $User$ $Description$
$AlarmName$ fired at $Time$
$User$ potentially removed agents remotely for $ActionData$
Event Name: $EventName$
Action Type: $ActionType$
Was this article helpful?
0 out of 0 found this helpful