Arbitrator API Documentation (1.0.0)

Download OpenAPI specification:Download

Insights Arbitrator API Documentation

Introduction

The base URL for all routes is the following:

https:///api/

All responses from the api will be in JSON format.

/api

The Arbitrator API is broken up into the resources below. Each resource represents an object in the Arbitrator system. A resource will have associated data and a set of methods in which the user may operate on it.

Resource	Description
/alerts	This resource will return data associated with alerts generated by the system.
/assets	This resource will return data associated with all the assets configured and discovered by the system. An asset can be added using the Arbitrator configuration screen. The Arbitrator will also automatically discover assets if the asset is configured to send logs to the Arbitrator.
/ciscocdr	This resource will return data associated with Cisco CDR and CMR files. The api will return a running total of various statistics associated with Cisco's call records.
/system	This resource will return data about the Arbitrator system in general.

/api/ciscocdr?cm_ip=x.x.x.x

cm_ip is an optional query parameter that will filter the totals down to a specific Cisco Call Manager.

query Parameters

cm_ip

number

Example: cm_ip=10.13.37.42

Responses

Response samples

Content type

application/json

{"ciscocdrs": {"call_stats": {"total_call_attempts": 12758,
"total_audio_calls": 12758,
"total_video_calls": 0,
"total_conferences": 0,
"total_audio_conferences": 0,
"total_video_conferences": 0,
"total_abandoned_calls": 2,
"total_completed_calls": 14,
"total_connected_calls": 11,
"total_failed_calls": 12744,
"total_processed_calls": 12758,
"total_rejected_calls": 0,
"total_short_calls": 1,
"total_minutes": 4.7666666666667,
"total_video_minutes": 0,
"total_audio_minutes": 4.7666666666667,
"lower_timestamp": 0,
"upper_timestamp": 0,
"average_hold_time": 0,
"erlangs": 0,
"grade_of_service": 0,
"call_failure_ratio": 0,
"total_mobile_calls": 0,
"total_mobile_orig_calls": 0,
"total_mobile_dest_calls": 0,
"total_mobile_minutes": 0,
"total_mobile_orig_minutes": 0,
"total_mobile_dest_minutes": 0,
"total_split_calls": 0,
"total_split_minutes": 0
},
"mos_stats": {"excellent": {"count": 0,
"duration": 0
},
"good": {"count": 0,
"duration": 0
},
"fair": {"count": 0,
"duration": 0
},
"poor": {"count": 0,
"duration": 0
},
"bad": {"count": 0,
"duration": 0
},
"unknown": {"count": 0,
"duration": 0
}
},
"metric_stats": {"numberPacketsSent": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberOctetsSent": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberPacketsReceived": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberOctetsReceived": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberPacketsLost": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"jitter": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"latency": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"mos": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"cumalitveConcealRatio": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"intervalConcealRatio": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"intervalConcealRatioMax": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"concealSeconds": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"severelyConcealSeconds": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoPacketsSent": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoOctetsSent": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoPacketsReceived": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoOctetsReceived": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoPacketsLost": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"videoAverageJitter": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"videoRoundTripTime": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"videoOneWayDelay": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"cmr_duration": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"videoDuration_channel2": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoPacketsSent_channel2": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoOctetsSent_channel2": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoPacketsReceived_channel2": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoOctetsReceived_channel2": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"numberVideoPacketsLost_channel2": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"videoAverageJitter_channel2": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"videoRoundTripTime_channel2": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
},
"videoOneWayDelay_channel2": {"avg": 0,
"count": 0,
"max": 0,
"min": 0,
"sum": 0
}
},
"termination_stats": {"1": {"count": 2,
"description": "Unallocated (unassigned) number",
"duration": 0
},
"16": {"count": 14,
"description": "Normal call clearing",
"duration": 109
},
"27": {"count": 12730,
"description": "Destination out of order",
"duration": 0
},
"102": {"count": 12,
"description": "Call terminated when timer expired; a recovery routine executed to recover from the error",
"duration": 177
}
},
"elapsed_time": 0.017364978790283
}
}

/api/v2

/api/v2 > alerts

Get All Alerts No Header

Authorizations:

noauthAuth

Responses

/api/v2 > assets

/api/v2/configs/assets

Authorizations:

basicAuth

header Parameters

x-lxt-api-token

string

Example: {{x-lxt-kapapi-id}}

Responses

Update Large Assets

Authorizations:

basicAuth

header Parameters

x-lxt-api-token	string Example: {{x-lxt-kapapi-id}}
Content-Type	string Example: application/json

Request Body schema: application/json

object

Responses

Request samples

Payload

Content type

application/json

[{"asset_id": "0e547524388f1c2579bbb42678f75d3ffea4ffc82fccb17a0006424b3d51f4cc",
"name": "172.30.11.130",
"ipaddress": "172.30.11.130",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "63f21fe1dc86ad599988c2e3b9b222a62f0f8f8d2dda5ffc0006424b3d51f328"
}
]
},
{"asset_id": "1e9a8f44deb4907275e3f0ffdfb77001662f01cd6cc3c2300006424b3d51f6a9",
"name": "172.30.16.45",
"ipaddress": "172.30.16.45",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "63f21fe1dc86ad599988c2e3b9b222a62f0f8f8d2dda5ffc0006424b3d51f328"
}
]
},
{"asset_id": "f1d012ccb0543eb62a6f5c3a301eef78ba1e26b51883841e0006424b3d51f874",
"name": "172.30.42.14",
"ipaddress": "172.30.42.14",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "63f21fe1dc86ad599988c2e3b9b222a62f0f8f8d2dda5ffc0006424b3d51f328"
}
]
},
{"asset_id": "ce44ef91afd546b4ba1d9fe17af15bdb86b505b213191ba30006424b3d51faa0",
"name": "172.30.42.53",
"ipaddress": "172.30.42.53",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "63f21fe1dc86ad599988c2e3b9b222a62f0f8f8d2dda5ffc0006424b3d51f328"
}
]
},
{"asset_id": "0c40ebfd1711c2bb64495d86b399401e6af455f3cfc9b1410006424b3d51fecb",
"name": "172.30.42.73",
"ipaddress": "172.30.42.73",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "63f21fe1dc86ad599988c2e3b9b222a62f0f8f8d2dda5ffc0006424b3d51f328"
}
]
},
{"asset_id": "b759fca006d35522622657755e9165c1fdb5ff0556f2ec5a0006424b3d5200a5",
"name": "172.30.42.77",
"ipaddress": "172.30.42.77",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "63f21fe1dc86ad599988c2e3b9b222a62f0f8f8d2dda5ffc0006424b3d51f328"
}
]
},
{"asset_id": "9ac14267903b9a81240685fc9800de876bec58dee738a90e0006424b3d5202e2",
"name": "172.30.42.80",
"ipaddress": "172.30.42.80",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "63f21fe1dc86ad599988c2e3b9b222a62f0f8f8d2dda5ffc0006424b3d51f328"
}
]
},
{"asset_id": "cd4447605422ce8b09e5191122a42d2d84504cc308998d7f0006424b3d5204a8",
"name": "172.30.42.84",
"ipaddress": "172.30.42.84",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "63f21fe1dc86ad599988c2e3b9b222a62f0f8f8d2dda5ffc0006424b3d51f328"
}
]
},
{"asset_id": "0248af89a2d3693c992932b6b74da6cbb1e3532ba3d438fd0006424b3d520674",
"name": "172.30.42.90",
"ipaddress": "172.30.42.90",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "63f21fe1dc86ad599988c2e3b9b222a62f0f8f8d2dda5ffc0006424b3d51f328"
}
]
},
{"asset_id": "9616e7e8070a83c6bb1e0358f7a745342f670073e1df49e40006424b3d520a09",
"name": "172.30.1.104",
"ipaddress": "172.30.1.104",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "db9d60549f10e11127eb69704633f5bf29dbc469506bc66a0006424b3d52083e"
}
]
},
{"asset_id": "0e1909582277d07ef3d7f9fd2d1b0202b7a41c9da1383ed90006424b3d520bcf",
"name": "172.30.42.17",
"ipaddress": "172.30.42.17",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "db9d60549f10e11127eb69704633f5bf29dbc469506bc66a0006424b3d52083e"
}
]
},
{"asset_id": "61b376e6b9566649e8939f8c9abcbc342514f3adf03941390006424b3d5211be",
"name": "172.30.11.131",
"ipaddress": "172.30.11.131",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "457b3e179de8fd11fb40ec816c6288d047b13ac43c4b01490006424b3d520dab"
}
]
},
{"asset_id": "d33ccac949739d76d32da402d9fa480699e60fcd48ef524c0006424b3d5213be",
"name": "172.30.42.76",
"ipaddress": "172.30.42.76",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "457b3e179de8fd11fb40ec816c6288d047b13ac43c4b01490006424b3d520dab"
}
]
},
{"asset_id": "32ea31736c7d96c5afa13c2252574e40a1bfcbff262096410006424b3d52172d",
"name": "172.30.1.102",
"ipaddress": "172.30.1.102",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "ec254002a9aab27dc83afeb0baa9bde856c26cd3c61270310006424b3d52159d"
}
]
},
{"asset_id": "88fc89c7f2f8b66225c7f71c8c162e964199ea3f815d51220006424b3d5218e9",
"name": "172.30.16.46",
"ipaddress": "172.30.16.46",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "ec254002a9aab27dc83afeb0baa9bde856c26cd3c61270310006424b3d52159d"
}
]
},
{"asset_id": "a0caaf3126edb1b29882f8158225efd5356a2a67928550f20006424b3d521abc",
"name": "172.30.42.54",
"ipaddress": "172.30.42.54",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "ec254002a9aab27dc83afeb0baa9bde856c26cd3c61270310006424b3d52159d"
}
]
},
{"asset_id": "2ef7fde7549a079e03a9e2f51bdec06996bd81f7bfc7776f0006424b3d521c7c",
"name": "172.30.42.71",
"ipaddress": "172.30.42.71",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "ec254002a9aab27dc83afeb0baa9bde856c26cd3c61270310006424b3d52159d"
}
]
},
{"asset_id": "9550164cd868d23c02c98fa191f50eaf2ce6edbd0203f34c0006424b3d521e5d",
"name": "172.30.42.74",
"ipaddress": "172.30.42.74",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "ec254002a9aab27dc83afeb0baa9bde856c26cd3c61270310006424b3d52159d"
}
]
},
{"asset_id": "93a28b668fcb833955cc2a881e294665ff1d2a51e2d6915c0006424b3d52202e",
"name": "172.30.42.78",
"ipaddress": "172.30.42.78",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "ec254002a9aab27dc83afeb0baa9bde856c26cd3c61270310006424b3d52159d"
}
]
},
{"asset_id": "764aa6beca195ef0a8442fdb07fca1bd1fb7ee2c0165344c0006424b3d522221",
"name": "172.30.42.81",
"ipaddress": "172.30.42.81",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "ec254002a9aab27dc83afeb0baa9bde856c26cd3c61270310006424b3d52159d"
}
]
},
{"asset_id": "cb151b1888c13d6c99e39d7d3f68a2f5e7dbe252467f69420006424b3d522415",
"name": "172.30.42.91",
"ipaddress": "172.30.42.91",
"hostname": null,
"description": null,
"version": null,
"did": null,
"mac_address": null,
"address": null,
"model": null,
"manufacturer": null,
"timezone": "UTC",
"customer": null,
"site": null,
"render_type": "Unknown",
"rowAction": null,
"asset_groups": [{"asset_group_id": "ec254002a9aab27dc83afeb0baa9bde856c26cd3c61270310006424b3d52159d"
}
]
}
]

Add a NAT IP Address to An Asset

Authorizations:

basicAuth

header Parameters

x-lxt-api-token	string Example: {{x-lxt-kapapi-id}}
Content-Type	string Example: application/json

Request Body schema: application/json

object

Responses

Request samples

Payload

Content type

application/json

{"name": "",
"ipaddress": "172.30.42.169",
"hostname": "Unknown",
"parent_id": "T4UB8BZFO6Y7UWR21686317921W6XPQA5QAASJ4RNJ4YZAFNH2CLBJKN6WIPUJL7SP7OM1VJ8",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "",
"last_byte_time": 0,
"did": "Unknown",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "NAT",
"comments": "",
"model": ""
}

Response samples

Content type

application/json

Example

Add a Single Asset

{"status": 200,
"message": "Success",
"data": [[{"asset_id": "T4UB8BZFO6Y7UWR21686317921W6XPQA5QAASJ4RNJ4YZAFNH2CLBJKN6WIPUJL7SP7OM1VJ8",
"name": "ExampleName",
"ipaddress": "20230609_082634",
"hostname": "20230609_082634",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "",
"last_byte_time": 0,
"did": "Unknown",
"mac_address": "Unknown",
"address": "",
"version": "Cisco Call Manager",
"manufacturer": "Cisco",
"timezone": "Unknown",
"description": "",
"comments": "",
"model": "Unknown",
"asset_groups": [ ],
"assets": [ ],
"profiles": [ ]
}
]
]
}

/api/v2 > policy_modules

GET policy modules

Authorizations:

noauthAuth

header Parameters

x-lxt-api-token

string

Example: {{x-lxt-kapapi-id}}

Responses

Response samples

Content type

application/json

{"status": 200,
"message": "Success",
"data": [{"policy_module_id": "R5756M7F3DMMGADG1540308590142YD6D16SPO89RTT",
"name": "pexip",
"description": null,
"enabled": 0,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "HJWLA72FHP86IIFG1540308595425K4M5K78AFUPQSP",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "patient_devices",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "univago_data PATIENT_DEVICES ",
"description": "",
"policy_modules": [{"policy_module_id": "R5756M7F3DMMGADG1540308590142YD6D16SPO89RTT"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "G04P78U3ACTQ9MFA15403086311622J9ROXFABJ442A",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\"machine_name\"=>\"(.*?)\"",
"description": "machine_name",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "HJWLA72FHP86IIFG1540308595425K4M5K78AFUPQSP"
}
]
}
]
}
]
},
{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ",
"name": "Avaya Call Management System V3 Traps",
"description": null,
"enabled": 0,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [{"policy_filter_id": "SRWF96PUY6RLVA711553090266761GNXMD4OVD2HA16",
"xml_tag": "SCDTS",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "<ASSET_NAME>(.*?)<",
"description": "Asset name",
"is_token": 1,
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
]
},
{"policy_filter_id": "D07CX3WPJG406HRW155309036368058AW6D94V871CO",
"xml_tag": "METHOD",
"pattern_name": "Regular Expression Match",
"pattern": "(local_syslog)",
"description": "SNMP v3 traps",
"is_token": 0,
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
]
},
{"policy_filter_id": "PW8JITSCO3FUNP8I1553090319693GPTQLXDQEE4TVG",
"xml_tag": "SCDTS",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "<ADDRESS>(.*?)<",
"description": "Asset IP",
"is_token": 2,
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
]
}
],
"correlation_rules": [{"correlation_rule_id": "DEV8KHX8M3NT1W4J1553090841127Q2IIHOMRWA52X3",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Test Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Major",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "C2UVP4WGRBSGT7TN1553092689941B9UEIJR69FR4CQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "DEV8KHX8M3NT1W4J1553090841127Q2IIHOMRWA52X3"
}
]
},
{"rule_definition_id": "I4XP57B0KB867EY715530927123955LXOOWEESTU2MU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsTestAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "DEV8KHX8M3NT1W4J1553090841127Q2IIHOMRWA52X3"
}
]
},
{"rule_definition_id": "WWONCCMY4JEINQWI15530928556765P8B9K8SM9AGX9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "DEV8KHX8M3NT1W4J1553090841127Q2IIHOMRWA52X3"
}
]
}
]
},
{"correlation_rule_id": "RN4NMGPCH2OUCMIP1553093329119954H6RHPV9RJWM",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Test Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "BA30QNOVAN1PM7TK1553093329119BGCKLOU1HOA0SQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "RN4NMGPCH2OUCMIP1553093329119954H6RHPV9RJWM"
}
]
},
{"rule_definition_id": "W25JKDLFUBGMI5FP1553093329119F43HJ87HQV52SH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsTestAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "RN4NMGPCH2OUCMIP1553093329119954H6RHPV9RJWM"
}
]
},
{"rule_definition_id": "J2VJQL6PA6GLGR1415530933291195PWV1HS5U3Q250",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "RN4NMGPCH2OUCMIP1553093329119954H6RHPV9RJWM"
}
]
}
]
},
{"correlation_rule_id": "HCHU6FWIVSVWMPFC1553096487511HCEJW5J0E0U75L",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS ES Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Major",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "QFKJ8AVVDQROJW3315530964875113UUGGD5MI4JOV2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "HCHU6FWIVSVWMPFC1553096487511HCEJW5J0E0U75L"
}
]
},
{"rule_definition_id": "DJP885VWIT41648K1553096487511GVLRBMRD25NEI9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEsAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "HCHU6FWIVSVWMPFC1553096487511HCEJW5J0E0U75L"
}
]
},
{"rule_definition_id": "SAFLBTOBTNRMO08E1553096487511KAGLXDY94RHVJE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "HCHU6FWIVSVWMPFC1553096487511HCEJW5J0E0U75L"
}
]
}
]
},
{"correlation_rule_id": "X4R2XVXUBVEP88O415530965641123HQ7959OLMSATL",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS ES Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "B1UI3N0PLF3LR2EN15530965641123PRQLPHOY50CU7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "X4R2XVXUBVEP88O415530965641123HQ7959OLMSATL"
}
]
},
{"rule_definition_id": "IQWQ8W6G2428EPOP1553096564112LDK78D49M1KDLE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEsAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "X4R2XVXUBVEP88O415530965641123HQ7959OLMSATL"
}
]
},
{"rule_definition_id": "KIC4SXK4BS14JHIH1553096564112WSHOOLCTMW8LVA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "X4R2XVXUBVEP88O415530965641123HQ7959OLMSATL"
}
]
}
]
},
{"correlation_rule_id": "S5VRRQR13B7VUL0D1553096612734IT5XKEG94KTQYR",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Link Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Major",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "OWY6W4YQONLH0NUW1553096612734SLS2KTBGYV2MXS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "S5VRRQR13B7VUL0D1553096612734IT5XKEG94KTQYR"
}
]
},
{"rule_definition_id": "W8M8YOAQY0SUSYAV1553096612734S205D9FIF27VVH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsLinkAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "S5VRRQR13B7VUL0D1553096612734IT5XKEG94KTQYR"
}
]
},
{"rule_definition_id": "AJ91CP4BNI77C81N15530966127348TMVRMP1WFGN35",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "S5VRRQR13B7VUL0D1553096612734IT5XKEG94KTQYR"
}
]
}
]
},
{"correlation_rule_id": "C7HOCBMDN65DDYG71553096647869N8I791BWLATL9S",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Link Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "X4Q6F0W9W06419I3155309664786985X2X5J0NND9FS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "C7HOCBMDN65DDYG71553096647869N8I791BWLATL9S"
}
]
},
{"rule_definition_id": "NVQPRBPI1950GULS1553096647869WI1CUT072CJA03",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsLinkAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "C7HOCBMDN65DDYG71553096647869N8I791BWLATL9S"
}
]
},
{"rule_definition_id": "PYK4WHH27Q9P047G1553096647869OULD8DTVLV8LDS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "C7HOCBMDN65DDYG71553096647869N8I791BWLATL9S"
}
]
}
]
},
{"correlation_rule_id": "SL5AHFDQURGP3G1D1553096699989N5UDVT79A1NN1A",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Archiver Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Major",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "BDIT89SR4HDMNVYI1553096699989UV2NTUWLVOB1YN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "SL5AHFDQURGP3G1D1553096699989N5UDVT79A1NN1A"
}
]
},
{"rule_definition_id": "VW49PMUBVYTP1CUN15530966999890YDOYKH9YLFV9T",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsArchAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "SL5AHFDQURGP3G1D1553096699989N5UDVT79A1NN1A"
}
]
},
{"rule_definition_id": "SXJC5KRFUYRWA6X91553096699989IM0FJHXLHRVWKH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SL5AHFDQURGP3G1D1553096699989N5UDVT79A1NN1A"
}
]
}
]
},
{"correlation_rule_id": "I721MO4S27FY295L1553096746091SSPW6TO8921TIK",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Archiver Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "T071KA1HO8437L7L1553096746091EJNOF6PQXLIL0T",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "I721MO4S27FY295L1553096746091SSPW6TO8921TIK"
}
]
},
{"rule_definition_id": "XCS1QRQJ529G0KAP15530967460912TE5YN6RUJSFVJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsArchAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "I721MO4S27FY295L1553096746091SSPW6TO8921TIK"
}
]
},
{"rule_definition_id": "XMDA9AT9VVHBACLW1553096746091R94YS96Y4F3PQW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "I721MO4S27FY295L1553096746091SSPW6TO8921TIK"
}
]
}
]
},
{"correlation_rule_id": "Y8F8LS2DFIDH9VQC155309678482550SQXNIC462G66",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Disk Error Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Major",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "FA02T2Q112NJK5KF1553096784825RUIV5GP3IAMEVE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "Y8F8LS2DFIDH9VQC155309678482550SQXNIC462G66"
}
]
},
{"rule_definition_id": "RW54VHKN3QR7T4Y515530967848256WBS5D4DEPTUHW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsDiskErrAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "Y8F8LS2DFIDH9VQC155309678482550SQXNIC462G66"
}
]
},
{"rule_definition_id": "AUX1LEJP9CLGAY1R1553096784825L34M31PLI8MW1D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "Y8F8LS2DFIDH9VQC155309678482550SQXNIC462G66"
}
]
}
]
},
{"correlation_rule_id": "CVU9N3W923NTF9J61553096951796WRORO9UFEVPT5F",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Disk Error Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "Cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "MX5GK6D0AT9FQFXG1553096951796PWD8NRLL9D8SL2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "CVU9N3W923NTF9J61553096951796WRORO9UFEVPT5F"
}
]
},
{"rule_definition_id": "KPAX9UVMGWV9SR4G1553096951796J3CNVOHI5ETI9D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsDiskErrAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "CVU9N3W923NTF9J61553096951796WRORO9UFEVPT5F"
}
]
},
{"rule_definition_id": "VNDB4BNSHEBESMHF1553096951796X6257NHLN6RJ27",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CVU9N3W923NTF9J61553096951796WRORO9UFEVPT5F"
}
]
}
]
},
{"correlation_rule_id": "K160QEY8YLTO3W2X1553103745805ETVT2V47TROVF4",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS ECH Warning Alarm",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "warning ",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "GUPXYJ1J7P64GTHB15531037458057COHB0KF9PBL3Y",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "K160QEY8YLTO3W2X1553103745805ETVT2V47TROVF4"
}
]
},
{"rule_definition_id": "B34RLKS55UV1GBO115531037458055EHEPR8UGJI9WQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEchWarnAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "K160QEY8YLTO3W2X1553103745805ETVT2V47TROVF4"
}
]
},
{"rule_definition_id": "VBGL5C97B75D8QPU1553103745805H6XEXJQPO8VPYK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "K160QEY8YLTO3W2X1553103745805ETVT2V47TROVF4"
}
]
}
]
},
{"correlation_rule_id": "RJ74LN78UBAJQUVS15531038506449E56E8FYQYCUBE",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS ECH Warning Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "WXQX9NB993AGSXV31553103850644HHXI09HMO53CVH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "RJ74LN78UBAJQUVS15531038506449E56E8FYQYCUBE"
}
]
},
{"rule_definition_id": "KV8LMNMRR5OAGJBX1553103850644DVONQVRCGQI0PC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEchWarnAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "RJ74LN78UBAJQUVS15531038506449E56E8FYQYCUBE"
}
]
},
{"rule_definition_id": "PJTPNCOX8MAJN71E1553103850644D4YQEDN574UAMG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "RJ74LN78UBAJQUVS15531038506449E56E8FYQYCUBE"
}
]
}
]
},
{"correlation_rule_id": "MG8L0R2GQVQB829O1553103894270PA5PWYNQXL5NPH",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS ECH Failure Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "warning ",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "NY3S2MQW6LG0BXU11553103894271WE5E9JKD0FECUK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "MG8L0R2GQVQB829O1553103894270PA5PWYNQXL5NPH"
}
]
},
{"rule_definition_id": "EVPU5QR4VCNYW7UO1553103894271QC2D2ML9MEKHXY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEchFailAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "MG8L0R2GQVQB829O1553103894270PA5PWYNQXL5NPH"
}
]
},
{"rule_definition_id": "A561R9YN3709H80W15531038942710LMDPYDIPBTX80",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MG8L0R2GQVQB829O1553103894270PA5PWYNQXL5NPH"
}
]
}
]
},
{"correlation_rule_id": "FW2IV29XRW9RV34V1553103942173FFNX2RGFG9HCR2",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS ECH Failure Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "warning ",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "S2ILOULUPUOX0UC21553103942173TG9U16DQ8UFOJ0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "FW2IV29XRW9RV34V1553103942173FFNX2RGFG9HCR2"
}
]
},
{"rule_definition_id": "WETY9YPOXSPD8JYD1553103942174AW5WOS2TSOSEPF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEchFailAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "FW2IV29XRW9RV34V1553103942173FFNX2RGFG9HCR2"
}
]
},
{"rule_definition_id": "HVE7PBBKTOJQYMSV15531039421749O3P2H1YD9RMFH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FW2IV29XRW9RV34V1553103942173FFNX2RGFG9HCR2"
}
]
}
]
},
{"correlation_rule_id": "OJ3GSPY6JAD2DKTV155310664660944SQWMNH3C1P1E",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Surviving Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "warning ",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "VJPW0R7YBXD1OJYU1553106646610ARYTI4EKN94WON",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "OJ3GSPY6JAD2DKTV155310664660944SQWMNH3C1P1E"
}
]
},
{"rule_definition_id": "EDHW2N4GTUJ4I15K1553106646610W1S0MEHEHE7UXE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsSurvAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "OJ3GSPY6JAD2DKTV155310664660944SQWMNH3C1P1E"
}
]
},
{"rule_definition_id": "KLJLEPYN4N4RT15315531066466118N3V9YRDLR1JEQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "OJ3GSPY6JAD2DKTV155310664660944SQWMNH3C1P1E"
}
]
}
]
},
{"correlation_rule_id": "YI5WX28DT7RICKET1553106687040WQ5JNUFI81CVUO",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Surviving Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "GMTY4FCVV4WJADTK1553106687040VN02YDUMKH02GS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "YI5WX28DT7RICKET1553106687040WQ5JNUFI81CVUO"
}
]
},
{"rule_definition_id": "V198PWL6YRLQQMV71553106687040GETFS29DS11OUE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsSurvAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "YI5WX28DT7RICKET1553106687040WQ5JNUFI81CVUO"
}
]
},
{"rule_definition_id": "M3M77ENWQF31GONX1553106687040EYDDSC95LPEH93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YI5WX28DT7RICKET1553106687040WQ5JNUFI81CVUO"
}
]
}
]
},
{"correlation_rule_id": "F3796UFL7K20XBHT15531067100353RV0FE6IN07A9Y",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Disk Warning Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "warning ",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "UEHCF4GY65HJA6DX155310671003687203VP5N69I7Y",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "F3796UFL7K20XBHT15531067100353RV0FE6IN07A9Y"
}
]
},
{"rule_definition_id": "DNV6XMRLYA8LNRXL1553106710036P19BAJOHM8XKIX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsDiskWarn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "F3796UFL7K20XBHT15531067100353RV0FE6IN07A9Y"
}
]
},
{"rule_definition_id": "LJWEG7S3SMA6SSQ31553106710036233P1UBYPQ7O93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F3796UFL7K20XBHT15531067100353RV0FE6IN07A9Y"
}
]
}
]
},
{"correlation_rule_id": "FC6V6T9WFIHTJUUP1553106788707MOCDT7S4CFRQCH",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Disk Warning Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "PXGWUWQQ41EQ2PUL1553106788707ELS9JG939LC9CM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "FC6V6T9WFIHTJUUP1553106788707MOCDT7S4CFRQCH"
}
]
},
{"rule_definition_id": "UPVID0L5F4MCFJMG1553106788707HB2LGXQN6YO9G0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsDiskWarnClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "FC6V6T9WFIHTJUUP1553106788707MOCDT7S4CFRQCH"
}
]
},
{"rule_definition_id": "H9O74ENS3A1PBSIE15531067887078Q9R9OA6TCH43O",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FC6V6T9WFIHTJUUP1553106788707MOCDT7S4CFRQCH"
}
]
}
]
},
{"correlation_rule_id": "GLVLCGK05LP0GTHM15531069630581CSYV6D0J74927",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Battery Error Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "major",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "VCCJYNOE3APK3DDM1553106963058AD5DHJAXYJHTYJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "GLVLCGK05LP0GTHM15531069630581CSYV6D0J74927"
}
]
},
{"rule_definition_id": "W87BRO24XG4DT9WT1553106963059VI1403EVTNI6JV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBatteryErr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "GLVLCGK05LP0GTHM15531069630581CSYV6D0J74927"
}
]
},
{"rule_definition_id": "HYFO7RTX0EC2KEOL15531069630592BLNF7M74D3ALF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GLVLCGK05LP0GTHM15531069630581CSYV6D0J74927"
}
]
}
]
},
{"correlation_rule_id": "BPAFYIHDXVHRJ1OB1553107033944P8G3UJTDIJ0V2V",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Battery Error Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "MCYEI0NRS67OEH4Y155310703394445GN2XQMEC3THK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "BPAFYIHDXVHRJ1OB1553107033944P8G3UJTDIJ0V2V"
}
]
},
{"rule_definition_id": "WEWI2VA2QS4JYMP815531070339445VAU592X6WICBD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBatteryErrClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "BPAFYIHDXVHRJ1OB1553107033944P8G3UJTDIJ0V2V"
}
]
},
{"rule_definition_id": "HAI1WXUV9MBWQMFG15531070339448PL2G8W1LCHQBE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "BPAFYIHDXVHRJ1OB1553107033944P8G3UJTDIJ0V2V"
}
]
}
]
},
{"correlation_rule_id": "WSUQQ4PPES7W247D1553107060865D9EN1R7V8XVMLR",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Raid Battery Warning Alarm",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "warning",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "KB983IB1D7QW2NM415531070608655MMR661CM1V7N0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "WSUQQ4PPES7W247D1553107060865D9EN1R7V8XVMLR"
}
]
},
{"rule_definition_id": "XYX48S3MEXW3MIS61553107060865TWJ2A4WPNTVCTD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBatteryWrn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "WSUQQ4PPES7W247D1553107060865D9EN1R7V8XVMLR"
}
]
},
{"rule_definition_id": "X25YNAO8REIHNS411553107060866MAHNXSRW2SJ7MG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WSUQQ4PPES7W247D1553107060865D9EN1R7V8XVMLR"
}
]
}
]
},
{"correlation_rule_id": "NVVAKBE7PDNU5WKP155310713781517KPKKHMGPK8OT",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Raid Battery Warning Alarm Cleared",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "PPCAKL5AWU856QB41553107137815W3PSIHGVHLE2H2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "NVVAKBE7PDNU5WKP155310713781517KPKKHMGPK8OT"
}
]
},
{"rule_definition_id": "TYN31CJMX1K3BXM61553107137815N6CNY1DO72G3L5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBatteryWrnClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "NVVAKBE7PDNU5WKP155310713781517KPKKHMGPK8OT"
}
]
},
{"rule_definition_id": "H429ML0CNVDB7VDN15531071378150IAKLIKXCVJCEL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NVVAKBE7PDNU5WKP155310713781517KPKKHMGPK8OT"
}
]
}
]
},
{"correlation_rule_id": "S86E1NGS89KKG36W1553107288812O3FMMAY2RWQ5BM",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Raid Enclosure Error Alarm",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "major",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "OT6AWLWK4CIA27U61553107288812T8LO3HWL95590D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "S86E1NGS89KKG36W1553107288812O3FMMAY2RWQ5BM"
}
]
},
{"rule_definition_id": "KN6MS9H620PH804O1553107288812GGTHR2OXJXPAXX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsRaidErr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "S86E1NGS89KKG36W1553107288812O3FMMAY2RWQ5BM"
}
]
},
{"rule_definition_id": "XDH26W0QJQ24S6FB1553107288812PN17J0PX218YBN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "S86E1NGS89KKG36W1553107288812O3FMMAY2RWQ5BM"
}
]
}
]
},
{"correlation_rule_id": "EVSX48HCDRMXUEXO1553107341225OYHKY8E984FUN7",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Raid Enclosure Error Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "WH5KO8PLU18OW64K15531073412258WHFMNART8BT7J",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "EVSX48HCDRMXUEXO1553107341225OYHKY8E984FUN7"
}
]
},
{"rule_definition_id": "U6PR8278C1D5XKQG155310734122672GSGEDKO2IFFG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsRaidErrClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "EVSX48HCDRMXUEXO1553107341225OYHKY8E984FUN7"
}
]
},
{"rule_definition_id": "IJJI3VVB4W2NRSCQ1553107341226DV1U0RKT1O1ODJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EVSX48HCDRMXUEXO1553107341225OYHKY8E984FUN7"
}
]
}
]
},
{"correlation_rule_id": "SKIN4RUGPE1NUMEW1553107387857V7N3J0CEIAWEQY",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Raid Enclosure Warning Alarm",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "warning",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "EAQJISMDD15K01CA1553107387857Y2NK3S9QVHKJSB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "SKIN4RUGPE1NUMEW1553107387857V7N3J0CEIAWEQY"
}
]
},
{"rule_definition_id": "CDBCJ6GUREXVG0WY1553107387857KN7Y1MURBW7E8V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsRaidWrn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "SKIN4RUGPE1NUMEW1553107387857V7N3J0CEIAWEQY"
}
]
},
{"rule_definition_id": "HMD884J5HY91F1A31553107387857Y0968OKCLC5HOI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SKIN4RUGPE1NUMEW1553107387857V7N3J0CEIAWEQY"
}
]
}
]
},
{"correlation_rule_id": "WT28PSKM0F37J3KI1553107435061D05E25PSUB3RSK",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Raid Enclosure Warning Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "MVOBQ5JLJDJBHGKM1553107435061DE1U46CD7E8JOS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "WT28PSKM0F37J3KI1553107435061D05E25PSUB3RSK"
}
]
},
{"rule_definition_id": "ERPDW82BYBHT9FDY1553107435061QHUOOIES1CJEXG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsRaidWrn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "WT28PSKM0F37J3KI1553107435061D05E25PSUB3RSK"
}
]
},
{"rule_definition_id": "XHHTMKHF1P333F8215531074350619T857Y58XRCQ6F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WT28PSKM0F37J3KI1553107435061D05E25PSUB3RSK"
}
]
}
]
},
{"correlation_rule_id": "M5KPFA0LPB109AD61553107493156I1S5KF2UIBDYY7",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Backup Warning Alarm",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "warning ",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "GS8SJ132UE8XBOIE1553107493156NG2FXWEAS0FH4N",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "M5KPFA0LPB109AD61553107493156I1S5KF2UIBDYY7"
}
]
},
{"rule_definition_id": "MXDL6Q3IMID9K5H51553107493156ITNSKDIS63FA2V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBackWrn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "M5KPFA0LPB109AD61553107493156I1S5KF2UIBDYY7"
}
]
},
{"rule_definition_id": "EQJ65TVRT8YL9RVT15531074931564C9IOWRCFQ8SGO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "M5KPFA0LPB109AD61553107493156I1S5KF2UIBDYY7"
}
]
}
]
},
{"correlation_rule_id": "PO6P2IVHDYMX8KAC1553107527480H1R00JL52AC4VL",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "CMS Backup Warning Alarm Clear",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "AV-CMS-MIB",
"description": "cleared",
"policy_modules": [{"policy_module_id": "V21JQXARFVEWM4311553090198801LJKTNMDT06IWSQ"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "TO0SURG47PAO25DQ1553107527480FJYVSKJY3FVYF7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "PO6P2IVHDYMX8KAC1553107527480H1R00JL52AC4VL"
}
]
},
{"rule_definition_id": "OTKJCX3URF9E5VEO1553107527480OFII5YQLMTCH3I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBackWrnClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "PO6P2IVHDYMX8KAC1553107527480H1R00JL52AC4VL"
}
]
},
{"rule_definition_id": "PSP7KYNSH03GRV1H1553107527480EOX7B8A45MXS5V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "PO6P2IVHDYMX8KAC1553107527480H1R00JL52AC4VL"
}
]
}
]
}
]
},
{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI",
"name": "Touy",
"description": null,
"enabled": 1,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "LMNOS5E3L062HVCS1565014967837WOL95BAY1NVL4F",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Tcritical",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "HJ3XIJSRA2IGWTN31674657527752OOEQD1ABL379LF",
"name": "Touy IRP with email",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "UO7HGP5415DRTE4216746575660993NRN4QEO5MQPKX"
},
{"response_method_id": "BMDYAHC9PK8AE7MT167465756609991FPUXW1N2V57K"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "MS840MLINJXVH2GQ1565015986461C0AKQM368DXD0X",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(critical)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "LMNOS5E3L062HVCS1565014967837WOL95BAY1NVL4F"
}
]
},
{"rule_definition_id": "Y24R170WCPHSOLPL157920451125747RL7E1NPMR6OA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "LMNOS5E3L062HVCS1565014967837WOL95BAY1NVL4F"
}
]
}
]
},
{"correlation_rule_id": "O2YPM3RN87OKJ7B21565016035690OA1CG5K2S0XVOE",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Tmajor Respond 1:1",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 0,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E",
"name": "Touy Non Event IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "EBTQA5LN39Q0CVPR1634051349646L3SSV665A8FDTX"
},
{"response_method_id": "S5VLNG7W7TCJFL9716340513496466J1QIGDNYB5QWG"
},
{"response_method_id": "GSNDY2U60CT300PT1634051349646A1O86HFJ7DK07Y"
},
{"response_method_id": "IEKF7329QPE3RSNU1634051349646CXMS0XVMFRAP4K"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "T336CMLP5ORJWNI81565016035691I180FLP6N8Q3V3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "O2YPM3RN87OKJ7B21565016035690OA1CG5K2S0XVOE"
}
]
},
{"rule_definition_id": "LQNCESCS1QRC0DXG1579204582956TO2PSV876THW6J",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "O2YPM3RN87OKJ7B21565016035690OA1CG5K2S0XVOE"
}
]
}
]
},
{"correlation_rule_id": "G28O2VIG6RTC70SA1565016061313SJLCCJ9WV4JRR0",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Tminor",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 0,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "KYSBBBT0EILF9KGC1568076761504OYG4M7AALT2KH0",
"name": "Touy IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "NN49G7874H9NFUAU1668790770212ANM1PU5WSNDCU9"
},
{"response_method_id": "S0639BPMPQ068HWV1668790770212YNWW66A454EOXR"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "R58DRCNUEYL8Y6VX1565016061314I7RCXXOIED05CF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(minor)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "G28O2VIG6RTC70SA1565016061313SJLCCJ9WV4JRR0"
}
]
},
{"rule_definition_id": "DQHYF6TTREM9OFBS1579204552818EGDHFQX2M3D1UB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "G28O2VIG6RTC70SA1565016061313SJLCCJ9WV4JRR0"
}
]
}
]
},
{"correlation_rule_id": "YR9LOJVGKQ04BWF515650160859689QTWDTJN6OT5P9",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Tinformational",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 0,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E",
"name": "Touy Non Event IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "EBTQA5LN39Q0CVPR1634051349646L3SSV665A8FDTX"
},
{"response_method_id": "S5VLNG7W7TCJFL9716340513496466J1QIGDNYB5QWG"
},
{"response_method_id": "GSNDY2U60CT300PT1634051349646A1O86HFJ7DK07Y"
},
{"response_method_id": "IEKF7329QPE3RSNU1634051349646CXMS0XVMFRAP4K"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "N0L5SPG8J1QBFMJ915650160859680263GG5RXURHBY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(informational)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "YR9LOJVGKQ04BWF515650160859689QTWDTJN6OT5P9"
}
]
},
{"rule_definition_id": "U87FVAGRYYSWN6MT157920456764593QJ73MUWO4UVC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "YR9LOJVGKQ04BWF515650160859689QTWDTJN6OT5P9"
}
]
}
]
},
{"correlation_rule_id": "LO3M0P8S7OCWKEJ516195336577592NDMSGY05VMPJJ",
"crtype_name": "Simple",
"craction_name": "Respond_On_Expire",
"name": "Alarm ID: 6666 (Tcritical Tracking)",
"threat_score": 60,
"threshold": 5,
"window": 60,
"status": 0,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "KYSBBBT0EILF9KGC1568076761504OYG4M7AALT2KH0",
"name": "Touy IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "NN49G7874H9NFUAU1668790770212ANM1PU5WSNDCU9"
},
{"response_method_id": "S0639BPMPQ068HWV1668790770212YNWW66A454EOXR"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "KHDHWSVCTKHX7S7S1619533657759RMQP7U7MKEMCG4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(critical)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "LO3M0P8S7OCWKEJ516195336577592NDMSGY05VMPJJ"
}
]
},
{"rule_definition_id": "Q96JKIR8TWW9TQTD16195336577606R1RWHU3Q3NQWI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):)",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "LO3M0P8S7OCWKEJ516195336577592NDMSGY05VMPJJ"
}
]
}
]
},
{"correlation_rule_id": "HQMHWC4ANLYE648916389373275742TG1G8KLSRAS40",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Tmajor Respond 3:1",
"threat_score": 31,
"threshold": 3,
"window": 60,
"status": 0,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E",
"name": "Touy Non Event IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "EBTQA5LN39Q0CVPR1634051349646L3SSV665A8FDTX"
},
{"response_method_id": "S5VLNG7W7TCJFL9716340513496466J1QIGDNYB5QWG"
},
{"response_method_id": "GSNDY2U60CT300PT1634051349646A1O86HFJ7DK07Y"
},
{"response_method_id": "IEKF7329QPE3RSNU1634051349646CXMS0XVMFRAP4K"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "COO0JFWUN7G6ME0G1638937327574UJQQOLGNLWX1TL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "HQMHWC4ANLYE648916389373275742TG1G8KLSRAS40"
}
]
},
{"rule_definition_id": "FVQO4UH5LRSFUXT51638937327575N9P45HPVI1W0JA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "HQMHWC4ANLYE648916389373275742TG1G8KLSRAS40"
}
]
}
]
},
{"correlation_rule_id": "NY4RGSYS97NOXRM51638937342717FSXEM3VBDSPNH9",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Tmajor Track Respond @SAME 3:1",
"threat_score": 31,
"threshold": 3,
"window": 60,
"status": 0,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E",
"name": "Touy Non Event IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "EBTQA5LN39Q0CVPR1634051349646L3SSV665A8FDTX"
},
{"response_method_id": "S5VLNG7W7TCJFL9716340513496466J1QIGDNYB5QWG"
},
{"response_method_id": "GSNDY2U60CT300PT1634051349646A1O86HFJ7DK07Y"
},
{"response_method_id": "IEKF7329QPE3RSNU1634051349646CXMS0XVMFRAP4K"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "NV2X6W4YKWHMFF9D163893734271802QUS8ONHF6LA7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "NY4RGSYS97NOXRM51638937342717FSXEM3VBDSPNH9"
}
]
},
{"rule_definition_id": "G9476UFBKHPU3XDH16389373427189RAXEFHIE7DIH8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):)",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "NY4RGSYS97NOXRM51638937342717FSXEM3VBDSPNH9"
}
]
}
]
},
{"correlation_rule_id": "LOS9YIY6ROGRHPE61639173382557KG1OSDYQP4E6YC",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Tmajor Respond @SAME 3:1",
"threat_score": 31,
"threshold": 3,
"window": 60,
"status": 0,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E",
"name": "Touy Non Event IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "EBTQA5LN39Q0CVPR1634051349646L3SSV665A8FDTX"
},
{"response_method_id": "S5VLNG7W7TCJFL9716340513496466J1QIGDNYB5QWG"
},
{"response_method_id": "GSNDY2U60CT300PT1634051349646A1O86HFJ7DK07Y"
},
{"response_method_id": "IEKF7329QPE3RSNU1634051349646CXMS0XVMFRAP4K"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "JEBTANKVCVETNQES1639173382558HAUGM7DM5I44RR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "LOS9YIY6ROGRHPE61639173382557KG1OSDYQP4E6YC"
}
]
},
{"rule_definition_id": "DNPDUY3642J2ODMF1639173382558BNEESGUYMBMTO7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):)",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "LOS9YIY6ROGRHPE61639173382557KG1OSDYQP4E6YC"
}
]
}
]
},
{"correlation_rule_id": "LF9RFYOQ58UXFCHK16391735050014NHMJDG82OR3QQ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Tmajor Track Respond 3:1",
"threat_score": 31,
"threshold": 3,
"window": 60,
"status": 0,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E",
"name": "Touy Non Event IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "EBTQA5LN39Q0CVPR1634051349646L3SSV665A8FDTX"
},
{"response_method_id": "S5VLNG7W7TCJFL9716340513496466J1QIGDNYB5QWG"
},
{"response_method_id": "GSNDY2U60CT300PT1634051349646A1O86HFJ7DK07Y"
},
{"response_method_id": "IEKF7329QPE3RSNU1634051349646CXMS0XVMFRAP4K"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "ADSTPOXJI60FTSM01639173505001O96YGUVDDT89H5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "LF9RFYOQ58UXFCHK16391735050014NHMJDG82OR3QQ"
}
]
},
{"rule_definition_id": "AECLYHTAII1SX7SW1639173505001K1XPF7SESPBMAR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "LF9RFYOQ58UXFCHK16391735050014NHMJDG82OR3QQ"
}
]
}
]
},
{"correlation_rule_id": "02f4d6a51a323d5d5c670446847923c7f7b024e8cf6f95900006377f7c7e36ea",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Major",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 127,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "MAJOR",
"description": "",
"policy_modules": [{"policy_module_id": "CMJNAEG5IA9UINE11565014962977I1OC9NT7H09PPI"
}
],
"response_procedures": [{"response_procedure_id": "KYSBBBT0EILF9KGC1568076761504OYG4M7AALT2KH0",
"name": "Touy IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "NN49G7874H9NFUAU1668790770212ANM1PU5WSNDCU9"
},
{"response_method_id": "S0639BPMPQ068HWV1668790770212YNWW66A454EOXR"
}
],
"alert": false
}
],
"rule_definitions": [ ]
}
]
},
{"policy_module_id": "MTX9RJSH1R0QIEDQ1583244925874OJUXGMB40QYOW1",
"name": "Log File Rules",
"description": null,
"enabled": 0,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "X1127YDK36797HY01583244939857N520IHQB0FRT4A",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "China",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "CHINA",
"description": "This is the extraction of an entry from a log file",
"policy_modules": [{"policy_module_id": "MTX9RJSH1R0QIEDQ1583244925874OJUXGMB40QYOW1"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "CMWKANJ03FBX77D615832449801946Q2I6T00R6GL1I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "(china)",
"description": "China Event",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "X1127YDK36797HY01583244939857N520IHQB0FRT4A"
}
]
},
{"rule_definition_id": "H2H611LC12X0JCAW1583246384519LBRHJ1EE2756IB",
"xml_tag": "SCDTS",
"pattern_name": "Regular Expression Match",
"pattern": "<METHOD>(syslog)<",
"description": "method",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X1127YDK36797HY01583244939857N520IHQB0FRT4A"
}
]
}
]
},
{"correlation_rule_id": "PO2855AC5A0KLKV41583244992136UN08E23MY42XE0",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Anton",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "ANTON and SYSLOG ",
"description": "This an additional extraction from a log file",
"policy_modules": [{"policy_module_id": "MTX9RJSH1R0QIEDQ1583244925874OJUXGMB40QYOW1"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "UGILHMCH1O4G14WE1583245036182ERS36G1060DRGC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "(Anton)",
"description": "San Anton Major Event",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "PO2855AC5A0KLKV41583244992136UN08E23MY42XE0"
}
]
},
{"rule_definition_id": "HM79ROOO7TC60G0F1583246342528GHGUICY5XH3G64",
"xml_tag": "SCDTS",
"pattern_name": "Regular Expression Match",
"pattern": "<METHOD>(syslog)<",
"description": "method",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "PO2855AC5A0KLKV41583244992136UN08E23MY42XE0"
}
]
}
]
}
]
},
{"policy_module_id": "BPUQDAFA0YSBH7RY1591899953110T74B31PRPB19OR",
"name": "DS9 alerts",
"description": null,
"enabled": 0,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "PIC7AYM8583G319F1591899960205RUIL7T0M5TFFMM",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "druid threshold",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "",
"policy_modules": [{"policy_module_id": "BPUQDAFA0YSBH7RY1591899953110T74B31PRPB19OR"
}
],
"response_procedures": [{"response_procedure_id": "EVXYQXOGU4R3ALAS1591904781211NULSWDRV664JR5",
"name": "POC-test",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "M4O7TJ00H6QQ4WWS1591988377364O6W9PEHRF3IJVF"
},
{"response_method_id": "SEKH9F7NDY77QLR615919883773645RO0PYNRV4O1GJ"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "YDT4947BU5PJNI1L1591899986788P1JJBUJ3YFCHFQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(gen_druid.php\\sfor\\sDS9\\s)",
"description": "druidMetric",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "PIC7AYM8583G319F1591899960205RUIL7T0M5TFFMM"
}
]
},
{"rule_definition_id": "X4KC8559G0PQOT6O1591900233581P1T1D0QYVX9VTK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "DS9\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b)\\sfound",
"description": "ds9Ip",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "PIC7AYM8583G319F1591899960205RUIL7T0M5TFFMM"
}
]
},
{"rule_definition_id": "MUEWMQU5N2RR63LK1591900263421R3O96CTM9OR700",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "found\\s(.*?)\\sexceeded",
"description": "MetricName",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "PIC7AYM8583G319F1591899960205RUIL7T0M5TFFMM"
}
]
},
{"rule_definition_id": "NUXL6W9N0HTVLCC315919003023383PM24IFM3YQVGT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "exceeded\\s(\\d+)\\sdata:",
"description": "threshold",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "PIC7AYM8583G319F1591899960205RUIL7T0M5TFFMM"
}
]
},
{"rule_definition_id": "WE57F23G9KG8C5KV1591900358632HVI6FQJ7CH9YQU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "data:\\s\\s(\\d+)\\s%\\s",
"description": "time",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "PIC7AYM8583G319F1591899960205RUIL7T0M5TFFMM"
}
]
},
{"rule_definition_id": "B237CVTG9W6OXVA01591900437428BJT5KJ0W46HP6V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "data:\\s.*?\\s%\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b)\\s%\\s",
"description": "sourceIp",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "PIC7AYM8583G319F1591899960205RUIL7T0M5TFFMM"
}
]
},
{"rule_definition_id": "HWWNAM84X6VXPTSH1591900475428RLKR4FYWSOW8QN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "data:\\s.*?\\s%\\s.*?\\..*?\\..*?\\..*?\\s%\\s(\\d+)",
"description": "value",
"is_token": 6,
"correlation_rules": [{"correlation_rule_id": "PIC7AYM8583G319F1591899960205RUIL7T0M5TFFMM"
}
]
}
]
},
{"correlation_rule_id": "CJLCMSQQ2WOMP75E1591993209186HEMWJARVHHLP4H",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "postgres flow threshold",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 5,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "GEN_POSTGRESS",
"description": "",
"policy_modules": [{"policy_module_id": "BPUQDAFA0YSBH7RY1591899953110T74B31PRPB19OR"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "WW5HS4E0BCUROLP31591993258836WPEBOCIMDKN5IV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(gen_postgress.php\\sfor\\sDS9\\s)",
"description": "flagIt",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CJLCMSQQ2WOMP75E1591993209186HEMWJARVHHLP4H"
}
]
},
{"rule_definition_id": "HGEAJIDWTT3BFYOI15919934271575FS23P9YT73HO0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "DS9\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b)\\sproduced:",
"description": "dspIp",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "CJLCMSQQ2WOMP75E1591993209186HEMWJARVHHLP4H"
}
]
},
{"rule_definition_id": "M8WW4Y77QBNL6NVD1591993453487SQT5DTU4FAR76F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "agentid\\s=\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b)\\s%",
"description": "agentId",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "CJLCMSQQ2WOMP75E1591993209186HEMWJARVHHLP4H"
}
]
},
{"rule_definition_id": "S9KXVEHYDS6WD4J015919934697970UPTSQBBEDIJWJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "timestamp\\s=\\s(\\d+)\\s%",
"description": "time",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "CJLCMSQQ2WOMP75E1591993209186HEMWJARVHHLP4H"
}
]
},
{"rule_definition_id": "IFAEH2QLB9SMXHDL1591993500749SIMSLLN2DXNP1P",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "totalbytes\\s=\\s(|\\d+)",
"description": "totalbytes",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "CJLCMSQQ2WOMP75E1591993209186HEMWJARVHHLP4H"
}
]
}
]
}
]
},
{"policy_module_id": "OWL84UN8FY6YDU4K1629742893075X747QGRSFIDO4W",
"name": "Ping",
"description": null,
"enabled": 1,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "X0VM2YBOPTCYD5081629742897595AU9LE8PQH4JIEJ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Ping Failure",
"threat_score": 60,
"threshold": 10,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "No ANSWER ",
"description": "",
"policy_modules": [{"policy_module_id": "OWL84UN8FY6YDU4K1629742893075X747QGRSFIDO4W"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "E20AP61QE775RLNH16297429359817M1PW3A5NN0HHV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(No\\sanswer)",
"description": "No answer",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X0VM2YBOPTCYD5081629742897595AU9LE8PQH4JIEJ"
}
]
},
{"rule_definition_id": "L1SJQDJO9UUL16DW16297432099279Q4WNRW3CRHYSE",
"xml_tag": "RETURNMSG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(from\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b)\\snot)",
"description": "System IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "X0VM2YBOPTCYD5081629742897595AU9LE8PQH4JIEJ"
}
]
}
]
}
]
},
{"policy_module_id": "IILBFNHHJU96BJV71630697059530CGI2N28M7184C3",
"name": "Ack Alert",
"description": null,
"enabled": 1,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "MY2X859VR22GNOT81630697064451O9FGS3N8JPP28X",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Set Alert",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "VERIZON SURGERY major",
"description": "",
"policy_modules": [{"policy_module_id": "IILBFNHHJU96BJV71630697059530CGI2N28M7184C3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "YC00TF2KXN2R8M3B1630697104760BATKKJ5F0G4LPX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(trapCtrlName:(.*?)\\s,)",
"description": "trapCtrlName",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "MY2X859VR22GNOT81630697064451O9FGS3N8JPP28X"
}
]
},
{"rule_definition_id": "TDEIW40Q6EK2W8NY1630697136789JO32Y2QQHD81LD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(trapCtrlSerialNum:\"(.*?)\")",
"description": "SerialNum",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "MY2X859VR22GNOT81630697064451O9FGS3N8JPP28X"
}
]
},
{"rule_definition_id": "AC01WY0SJJNLJYH61630697151047GX620SC2I5PHKD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "trapSeverity:(major)",
"description": "Severity",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MY2X859VR22GNOT81630697064451O9FGS3N8JPP28X"
}
]
}
]
},
{"correlation_rule_id": "L59R7FDQWNP0LTJH16306973946643BIDMN6QCMNMGW",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Clear Alert",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "VERIZON SURGERY MAJOR ",
"description": "",
"policy_modules": [{"policy_module_id": "IILBFNHHJU96BJV71630697059530CGI2N28M7184C3"
}
],
"response_procedures": [{"response_procedure_id": "IYYAQBVRQ2OW9LPM163069732157421ADSQRHY0MISQ",
"name": "CheckAlertClear",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "PKAV5TYPY08P47Q11630701613445VX13A2W3NXSEKY"
},
{"response_method_id": "OEPYG92KUGV3I8WG1630701613445HX9I0DRNVDM13Y"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "E1JX243S6CBYV0VA1630697394664SFORDIF293DCCM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(trapCtrlName:(.*?)\\s,)",
"description": "trapCtrlName",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "L59R7FDQWNP0LTJH16306973946643BIDMN6QCMNMGW"
}
]
},
{"rule_definition_id": "WA2W1W2ARHTJKM4C16306973946654JCO9VU22A43SM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(trapCtrlSerialNum:\"(.*?)\")",
"description": "SerialNum",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "L59R7FDQWNP0LTJH16306973946643BIDMN6QCMNMGW"
}
]
},
{"rule_definition_id": "KAPRPS2WK0VX5WWX1630697394665VXNNC3LBE4BHTK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "trapSeverity:(notify)",
"description": "Severity",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "L59R7FDQWNP0LTJH16306973946643BIDMN6QCMNMGW"
}
]
}
]
}
]
},
{"policy_module_id": "TMICSD84GV78O03V16493569329545H5HYJQ990KUSQ",
"name": "Demo2",
"description": null,
"enabled": 1,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "R15Q8AIAVTNUO40M16493569434296KC2TWA2I72P92",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Critical  Alert",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "TTEST",
"description": "",
"policy_modules": [{"policy_module_id": "TMICSD84GV78O03V16493569329545H5HYJQ990KUSQ"
}
],
"response_procedures": [{"response_procedure_id": "DWMY6R1Q58SDOMHY16505797606488GJNFPSPUXRDC2",
"name": "New Default",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "JB16WG5KJPTE2PS41651004980226G3DNHPSB7AVFQP"
},
{"response_method_id": "RYFCWVFQBS3DA9BH1651004980226E530US10CQO20P"
},
{"response_method_id": "IAKB6U83FVY9Q2W51651004980226THUAJUJOBSLUMX"
},
{"response_method_id": "JWL2UT8SA1P921VY1651004980226RBDJJ929K36TDP"
},
{"response_method_id": "CKTC7QPWX5OQYMGL1651004980226EUD719SOPL0QL0"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "LKDJGKFINQOGXCOG1649357052798S3ALYT1U6NPEJ2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(Ttest)",
"description": "Ttest",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "R15Q8AIAVTNUO40M16493569434296KC2TWA2I72P92"
}
]
},
{"rule_definition_id": "OORVLJI9DMJGXL2K1649357206377FQDIUQO7963YNU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(Ttest:\\s(.*?):)",
"description": "ipaddress",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "R15Q8AIAVTNUO40M16493569434296KC2TWA2I72P92"
}
]
},
{"rule_definition_id": "YI5KE8DM6461MYN31649357336556HRYMEA8XMQDFEX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(critical)\\salert",
"description": "Critical",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "R15Q8AIAVTNUO40M16493569434296KC2TWA2I72P92"
}
]
}
]
}
]
},
{"policy_module_id": "BALF3DK2FGKQ7CWR1662567555513D1ENSL8O2IPB93",
"name": "Sergey",
"description": null,
"enabled": 1,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "C74M32KAUK6GDDRC1662567563007ITIOC68KJV7LAL",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Sergey Critical",
"threat_score": 60,
"threshold": 6,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "SERGEY",
"description": "",
"policy_modules": [{"policy_module_id": "BALF3DK2FGKQ7CWR1662567555513D1ENSL8O2IPB93"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "ID6HW6M7WRU0IPVP1662567644558VFPX2OWRD0DNI9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "sergey\\s(critical)\\salert",
"description": "Severity",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "C74M32KAUK6GDDRC1662567563007ITIOC68KJV7LAL"
}
]
}
]
}
]
},
{"policy_module_id": "KGXTKDJGAPIA93V31669818499342ILTW6XT898RIUF",
"name": "Infinity",
"description": null,
"enabled": 1,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "AK8UDUSTHP8GD9OK16698185052255UH6PCT7L1CN66",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Major",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "INFINITY",
"description": "",
"policy_modules": [{"policy_module_id": "KGXTKDJGAPIA93V31669818499342ILTW6XT898RIUF"
}
],
"response_procedures": [{"response_procedure_id": "BNPDRA1H7JUBUIT6166879077450178GAGJ975DKS7X",
"name": "Touy IRP with testcontrol",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "E49VPA0BVIT1IM7S1668790790349FNH1AH1AMXO3RN"
},
{"response_method_id": "TP7VN32O43RIRJCB1668790790349JN5WD1VKCJG3PQ"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "HHR60KVRT511HIGA1669818560981F8ELY1DMIGJMSJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "(infinity)",
"description": "Rule1",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "AK8UDUSTHP8GD9OK16698185052255UH6PCT7L1CN66"
}
]
}
]
}
]
},
{"policy_module_id": "HLOEHDYWLLA2UQPA167301384009028TVRA48R81QGE",
"name": "Second Dchannel",
"description": null,
"enabled": 1,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [ ],
"correlation_rules": [{"correlation_rule_id": "PWWIW1OYNXH5OOV516730139740667UBU6AJXIDX6P5",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "dchannel",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "D-CHANNEL",
"description": "",
"policy_modules": [{"policy_module_id": "HLOEHDYWLLA2UQPA167301384009028TVRA48R81QGE"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "LG1BMX1HPKC99M2S1673014009480QH4R1YABQTP2NF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "(DChannelOOS)",
"description": "Type",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "PWWIW1OYNXH5OOV516730139740667UBU6AJXIDX6P5"
}
]
},
{"rule_definition_id": "J7Y63YMH3QCLJS5N1673014025102AW1X0URLGVP3B4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*?)$",
"description": "Details",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "PWWIW1OYNXH5OOV516730139740667UBU6AJXIDX6P5"
}
]
}
]
}
]
},
{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3",
"name": "Cucm_CmCat_Cm",
"description": null,
"enabled": 1,
"locked": 0,
"disable_on_failover": 0,
"policy_filters": [{"policy_filter_id": "KFWR8VAIYQRIO685167302297474703DYFW9QHQ9MYR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(%UC_CALLMANAGER)",
"description": "Cisco Syslog",
"is_token": 0,
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
]
},
{"policy_filter_id": "JDHFHKI9ECXOIP5E1673022992048TPOQP6QF544XI9",
"xml_tag": "SCDTS",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(<ADDRESS>(.*?)<)",
"description": "System Ip Address",
"is_token": 1,
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
]
},
{"policy_filter_id": "Q8CVOHEWFAEBE1WJ1673023036768H1JIT8BH8U0RPX",
"xml_tag": "SCDTS",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "<ASSET_DESCRIPTION>(.*?)<",
"description": "Asset Description",
"is_token": 2,
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
]
},
{"policy_filter_id": "OAMOQD6DYODP5JR31673023083662VFK204BHO3CSJC",
"xml_tag": "METHOD",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "(syslog)",
"description": "Agent",
"is_token": 3,
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
]
},
{"policy_filter_id": "HT1CWDPSVI0UCVQX1673023105228TD8UQC94H0589T",
"xml_tag": "SCDTS",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "<ASSET_NAME>(.*?)<",
"description": "Asset Name",
"is_token": 4,
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
]
}
],
"correlation_rules": [{"correlation_rule_id": "QTPEC1B8U8GQ0XYY1673014299046K5TLVPC713O4VR",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50500 (CallManagerFailure) - SERVICE IMPACTING",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Indicates an internal failure in Unified CM.\nExplanation: This alarm indicates that an internal failure occurred in the Cisco CallManager service. The service should restart in an attempt to clear the failure.\nRecommended Action: Monitor for other alarms and restart Cisco CallManager service, if necessary. Collect the core file if available, SDL and CCM/SDI trace files (you can gather these from Trace and Log Central in RTMT using the Collect Files feature) and contact the Cisco Technical Assistance Center (TAC).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "I2FBYBBSN1URA39T1673014299046XGDBDRNSPCMOCE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallManagerFailure)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QTPEC1B8U8GQ0XYY1673014299046K5TLVPC713O4VR"
}
]
},
{"rule_definition_id": "YGSL7JM23R0STRRP1673014299047O2WRLCDFCLUN83",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QTPEC1B8U8GQ0XYY1673014299046K5TLVPC713O4VR"
}
]
}
]
},
{"correlation_rule_id": "X7M92VON9CP83JUJ1673014299047M1P6O4GGRA8A93",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50501 (SDLLinkISV)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "SDL link to remote application restored.\nExplanation: This alarm indicates that the local Unified CM has gained communication with the remote Unified CM. Note that the remote Unified CM should also indicate SDLLinkISV with a different LinkID.\nRecommended Action: Informational only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "RSCI6B6L43R0NGE8167301429904710LOHK0IBHKBWJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SDLLinkISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X7M92VON9CP83JUJ1673014299047M1P6O4GGRA8A93"
}
]
},
{"rule_definition_id": "RUAPXMCKCSFKO4JY1673014299047HB9XJGG23P9FSL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "X7M92VON9CP83JUJ1673014299047M1P6O4GGRA8A93"
}
]
}
]
},
{"correlation_rule_id": "FGF9VUQD08DGQL6V1673014299047NXSFJ2Y4UHBPOR",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50502 (SDLLinkOOS)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "SDL link to remote application is out of service.\nExplanation: This alarm indicates that the local Unified CM has lost communication with the remote Unified CM. This alarm usually indicates that a node has gone out of service (whether intentionally for maintenance or to install a new load for example; or unintentionally due to a service failure or connectivity failure).\nRecommended Action: In the Cisco Unified Reporting tool, run a CM Cluster Overview report and check to see if all servers can communicate with the Publisher. Also check for any alarms that might have indicated a CallManager failure and take appropriate action for the indicated failure. If the node was taken out of service intentionally, bring the node back into service.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "XAES92GCVUQXHSNK167301429904747RHLK6HYSY22U",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SDLLinkOOS)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FGF9VUQD08DGQL6V1673014299047NXSFJ2Y4UHBPOR"
}
]
},
{"rule_definition_id": "FR7O3S7U0ABWSHNT1673014299047DWWY7B9AAXIN1V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FGF9VUQD08DGQL6V1673014299047NXSFJ2Y4UHBPOR"
}
]
}
]
},
{"correlation_rule_id": "MW9YKUVYX974EOIP1673014299047K98CSCRJY76WHI",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50503 (CMVersionMismatch)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "One or more Unified CM nodes in a cluster are running different Unified CM versions.\nExplanation: This alarm indicates that the local Unified CM is unable to establish communication with the remote Unified CM due to a software version mismatch. This is generally a normal occurrence when you are upgrading a Unified CM node.\nRecommended Action: The alarm details include the versions of the local and remote Unified CM nodes. Compare the versions and upgrade a node if necessary.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "S26SSLSCBTGED7BB1673014299047DSW7L93VWL1X93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CMVersionMismatch)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MW9YKUVYX974EOIP1673014299047K98CSCRJY76WHI"
}
]
},
{"rule_definition_id": "GP286U92ERWU0K9Y1673014299047FMV4U7HEOQKQSF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MW9YKUVYX974EOIP1673014299047K98CSCRJY76WHI"
}
]
}
]
},
{"correlation_rule_id": "XNPKIVBI32YV5MYS1673014299047POLPTY7XJ49PWM",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50504 (BChannelOOS)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The B-channel is out of service.\nExplanation: The B-channel indicated by this alarm has gone out of service. Some of the more common reasons for a B-channel to go out of service include: Taking the channel out of service intentionally to perform maintenance on either the near-end or far-end; Losing T1/E1/BRI cable connectivity; When the MGCP gateway returns an error code 501 or 510 for a MGCP command sent from Unified CM; When the MGCP gateway doesn't respond to an MGCP command sent by Unified CM three times; When a speed and duplex mismatch exists on the Ethernet port between Unified CM and the MGCP gateway.\nRecommended Action: Check the Cisco CallManager advanced service parameter, Change B-channel Maintenance Status to determine if the B-channel has been taken out of service intentionally; Check the Q.931 trace for PRI SERVICE message to determine whether a PSTN provider has taken the B-channel out of service; Check the connection of the T1/E1/BRI cable; Reset the MGCP gateway; Check the speed and duplex settings on the Ethernet port.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "DFQB4GMBOHHD8Q921673014299047N5YN3D6UKHF4JE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(BChannelOOS)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XNPKIVBI32YV5MYS1673014299047POLPTY7XJ49PWM"
}
]
},
{"rule_definition_id": "UWHHJ3KE4ALB7B3B167301429904724WIGAH43BJ7J3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XNPKIVBI32YV5MYS1673014299047POLPTY7XJ49PWM"
}
]
}
]
},
{"correlation_rule_id": "GKAH83L54FD83JNV16730142990476EC9K6DF93M4FW",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50505 (BChannelISV)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "B-channel is in service.\nExplanation: The B-channel indicated by this alarm has gone in service.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "QJCFT35AW7XQCLOL16730142990474MNX3FLIWDK9JM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(BChannelISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GKAH83L54FD83JNV16730142990476EC9K6DF93M4FW"
}
]
},
{"rule_definition_id": "H0RXXQGLU75AHL321673014299047X70BDYW6NVLHCG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GKAH83L54FD83JNV16730142990476EC9K6DF93M4FW"
}
]
}
]
},
{"correlation_rule_id": "BM97F3SR9F7SM1JC16730142990478K7VE733D4CHUR",
"crtype_name": "Simple",
"craction_name": "Respond",
"name": "Alarm ID: 50506 (DChannelOOS)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 1,
"search_filter": "D-CHANNEL and not ARBCORRELATE ",
"description": "The D-channel is out of service.\nExplanation: The D-channel indicated by this alarm has gone out of service. Common reasons for a D-channel to go out of service include losing T1/E1/BRI cable connectivity; losing the gateway data link (Layer 2) due to an internal or external problem; or a gateway reset.\nRecommended Action: Check the connection of the T1/E1/BRI cable; reset the gateway to restore Layer 2 connectivity; investigate whether the gateway reset was intentional. If the reset was not intentional, take steps to restrict access to the Gateway Configuration window in Cisco Unified CM Administration and the gateway terminal.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "NY08EBPI6XAABXCJ1673014299047YLOFWYB0KKGOAC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DChannelOOS)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "BM97F3SR9F7SM1JC16730142990478K7VE733D4CHUR"
}
]
},
{"rule_definition_id": "BLRQRTLC5N9I6JDF1673014299047X5GUHJ6O6H4JSF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)$",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "BM97F3SR9F7SM1JC16730142990478K7VE733D4CHUR"
}
]
}
]
},
{"correlation_rule_id": "WRY5HCFHI3S61NGL1673014299047TGF7KLRJUB3OW6",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50507 (DChannelISV)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The D-channel is out of service.\nExplanation: D-channel is in service.\nRecommended Action: The indicated D-channel has gone in service.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "N072MJMCPNKWWFP41673014299047HMFPQLGK2CYXM1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DChannelISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WRY5HCFHI3S61NGL1673014299047TGF7KLRJUB3OW6"
}
]
},
{"rule_definition_id": "OTIOVFVC7J4KYDMX1673014299047E7EU2O0A0PSR07",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WRY5HCFHI3S61NGL1673014299047TGF7KLRJUB3OW6"
}
]
}
]
},
{"correlation_rule_id": "EC5JEDHWO4FSKMY31673014299047UCHM937JH0FW18",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50508 (DeviceTransientConnection)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A device attempted to register but did not complete registration.\nExplanation: A connection was established and immediately dropped before completing registration. Incomplete registration may indicate that a device is rehoming in the middle of registration. The alarm could also indicate a device misconfiguration, database error, or an illegal/unknown device trying to attempt a connection. Network connectivity problems can affect device registration, or the restoration of a primary Unified CM may interrupt registration.\nRecommended Action: In the Cisco Unified Reporting tool, check the Active Services section of the Unified CM Cluster Overview report to confirm that any failover/fallback scenarios have completed. Confirm that auto-registration is enabled if the phone attempting to connect is set to auto-register, or locate the phone that is attempting to auto-register if auto-registration has been intentionally disabled. Check the device indicated in this alarm and confirm that the device registration details in Cisco Unified CM Administration are accurate. Also, refer to the reason code definitions in the alarm for recommended actions. No action is required if this event was issued as a result of a normal device rehome.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "I9LLE48D1DBCCVX01673014299047VBNAW6WIFUV18R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceTransientConnection)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "EC5JEDHWO4FSKMY31673014299047UCHM937JH0FW18"
}
]
},
{"rule_definition_id": "F2BMHDK2ET9IBU7R1673014299047XJUKSSSOTJO70F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EC5JEDHWO4FSKMY31673014299047UCHM937JH0FW18"
}
]
}
]
},
{"correlation_rule_id": "F7D3OMUNIT3J3OMN16730142990475EKV440F4AQ2F7",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50509 (EndPointTransientConnection)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "An endpoint attempted to register but did not complete registration.\nExplanation: A connection was established and immediately dropped before completing registration. Incomplete registration may indicate that a device is rehoming in the middle of registration. The alarm could also indicate a device misconfiguration, database error, or an illegal/unknown device trying to attempt a connection. Network connectivity problems can affect device registration, or the restoration of a primary Unified CM may interrupt registration.\nRecommended Action: Investigate any network connectivity problems in the system. It's possible that you have reached the maximum number of devices; the Cisco CallManager service parameter, Maximum Number of Registered Devices, controls the number of devices allowed in the system. After taking licensing, system hardware and other related concerns into consideration, you could increase the value of the service parameter. Also, refer to the reason code definitions in the alarm for additional recommended actions. No action is required if this event was issued as a result of a normal device rehome.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "GV0RE0XCEM2HX54K1673014299047MFXS0PM1Q7DYLX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointTransientConnection)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "F7D3OMUNIT3J3OMN16730142990475EKV440F4AQ2F7"
}
]
},
{"rule_definition_id": "KHN3VI8R93QSPGU21673014299047D623C7NTEADHMY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F7D3OMUNIT3J3OMN16730142990475EKV440F4AQ2F7"
}
]
}
]
},
{"correlation_rule_id": "GDE4F3BC6LHJ47DT167301429904700SWNAH6511EC6",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50510 (DeviceRegistered)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Device registered.\nExplanation: A device successfully registered with Cisco Unified Communications Manager.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "Y1UBYCP74GWNGNIP16730142990479NV3J6V21K6EVE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceRegistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GDE4F3BC6LHJ47DT167301429904700SWNAH6511EC6"
}
]
},
{"rule_definition_id": "UDAUM3WQUHLC952816730142990477B5W5YA06G20GE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GDE4F3BC6LHJ47DT167301429904700SWNAH6511EC6"
}
]
}
]
},
{"correlation_rule_id": "T3QHYSHN1WVPRVE51673014299047AOCQ6JVY17YKTD",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50511 (EndPointRegistered)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Endpoint registered.\nExplanation: An endpoint successfully registered with Cisco Unified Communications Manager.\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "J9RGUDOULHNT7I7W1673014299047FIUW3RNI4JD690",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointRegistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "T3QHYSHN1WVPRVE51673014299047AOCQ6JVY17YKTD"
}
]
},
{"rule_definition_id": "YQUNONWQHCHYB1UJ1673014299047RJF73XGRLOD9CD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "T3QHYSHN1WVPRVE51673014299047AOCQ6JVY17YKTD"
}
]
}
]
},
{"correlation_rule_id": "AW3VRXAW7PS0PUCK16730142990470NCFPRX9R11OPQ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50512 (DevicePartiallyRegistered)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A device has partially registered.\nExplanation: A device is partially registered with Cisco Unified Communications Manager. Some, but not all, of the lines configured on the device have successfully registered.\nRecommended Action: In the Cisco Unified Reporting tool, run the Unified CM Multi-Line Devices report and check the number of lines that are supposed to be configured on the device identified in this alarm. If the device has registered an inconsistent number of lines compared the Multi-Line report for this device, restart the device so that it can reregister all lines. If this alarm persists, verify that the appropriate number of lines has been configured on the device, and that the appropriate directory numbers have been configured. If the device is a third-party SIP phone, verify that the directory numbers configured on the phone match the directory numbers configured on the device in Unified CM Administration.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "GS1O6BNG3AF206641673014299047E4EPEHIS5ASRGC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DevicePartiallyRegistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "AW3VRXAW7PS0PUCK16730142990470NCFPRX9R11OPQ"
}
]
},
{"rule_definition_id": "QR1GRIF27KWY4ONN1673014299047K42KMV305CXOEQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "AW3VRXAW7PS0PUCK16730142990470NCFPRX9R11OPQ"
}
]
}
]
},
{"correlation_rule_id": "LUUCU0S11YYWE2SP1673014299047HTVBBPHLWUCS0X",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50513 (DeviceUnregistered)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Device unregistered.\nExplanation: A device that has previously registered with Unified CM has unregistered. In cases of normal unregistration with reason code 'CallManagerReset', 'CallManagerRestart', or 'DeviceInitiatedReset', the severity of this alarm is lowered to INFORMATIONAL. A device can unregister for many reasons, both intentional such as manually resetting the device after a configuration change, and unintentional such as loss of network connectivity. Other causes for this alarm could include a phone being registered to a secondary node and then the primary node coming online, which causes the phone to rehome to the primary Unified CM node. Or, lack of a KeepAlive being returned from the Unified CM node to which this device was registered. Unregistration also occurs if Unified CM receives a duplicate registration request for this same device.\nRecommended Action: Actions to take vary depending on the reason specified in this alarm for the device unregistration. If the reason is ConfigurationMismatch, go to the Device Configuration page in Cisco Unified CM Administration, make a change to the Description field for this device, click Save, then reset the device. In the case of a network connectivity problem or loss of KeepAlives, use network diagnostic tools and the Cisco Unified CM Reporting tool to fix any reported network or Unified CM system errors. In the case of a device rehoming to the primary Unified CM node, watch for a successful registration of the device on the primary node. In the case of a duplicate registration request, it may be a non-malicious occurrence due to timing of a device registering and unregistering; if duplicate registration requests continue or if the same device has different IP addresses, confirm the IP address on the physical device itself by checking the settings on the device (settings button). If unregistration of this device was expected, no action is required. Also, refer to the reason code descriptions for recommended actions.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "VYR65XFAYVEJUOK816730142990471JN0JX7TXHF6C2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceUnregistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LUUCU0S11YYWE2SP1673014299047HTVBBPHLWUCS0X"
}
]
},
{"rule_definition_id": "C2N1GRKYYG2R30PH1673014299047MMCU7QDRLEEL7R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LUUCU0S11YYWE2SP1673014299047HTVBBPHLWUCS0X"
}
]
}
]
},
{"correlation_rule_id": "V8OWAPQ6AFIBE2R516730142990472PYW3935RSOLYU",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50514 (EndPointUnregistered)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "An endpoint has unregistered.\nExplanation: An endpoint that has previously registered with Cisco Unified Communications Manager has unregistered. In cases of normal unregistration with reason code 'CallManagerReset', 'CallManagerRestart', 'DeviceInitiatedReset', 'EMLoginLogout', or 'EMCCLoginLogout', the severity of this alarm is lowered to INFORMATIONAL. An endpoint can unregister for many reasons, both intentional such as manually resetting the device after a configuration change, or unintentional such as loss of network connectivity. Other causes for this alarm could include a phone being registered to a secondary node and then the primary node coming online, causing the phone to rehome to the primary Unified CM node. Or, lack of a KeepAlive message being returned from the Unified CM node to which this endpoint was registered. Unregistration also occurs if Unified CM receives a duplicate registration request for this same device.\nRecommended Action: Actions to take vary depending on the reason specified for the endpoint unregistration. If the reason is ConfigurationMismatch, go to the Device Configuration page in Cisco Unified CM Administration, make a change to the Description field for this device, click Save, then reset the device. In the case of a network connectivity problem or loss of KeepAlives, use network diagnostic tools and the Cisco Unified CM Reporting tool to fix any reported network or Unified CM system errors. In the case of an endpoint rehoming to the primary Unified CM node, watch for a successful registration of the device on the primary node. In the case of a duplicate registration request, it may be a non-malicious occurrence due to timing of an endpoint registering and unregistering; if duplicate registration requests continue or if the same endpoint has different IP addresses, confirm the IP address on the physical device itself by checking the settings on the device (settings button). If unregistration of this device was expected, no action is required. Also, refer to the reason code descriptions in this alarm for additional recommended actions.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "CX1J78D0N4G1TTW916730142990479NTHTO11D2MV8S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointUnregistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "V8OWAPQ6AFIBE2R516730142990472PYW3935RSOLYU"
}
]
},
{"rule_definition_id": "NYG2V6L08AWQC0G116730142990471FM2D641J855YR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "V8OWAPQ6AFIBE2R516730142990472PYW3935RSOLYU"
}
]
}
]
},
{"correlation_rule_id": "F7NSGG1KUUQAJJJ01673014299047B1JGXH8968ATBY",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50515 (SIPLineRegistrationError)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "SIP line registration error.\nExplanation: A SIP line attempted to register with Cisco Unified Communications Manager (Unified CM) and failed due to the error indicated in the Reason Code parameter. The alarm could indicate a device misconfiguration, database error, or an illegal/unknown device trying to attempt a connection. This alarm typically occurs with a third-party device.\nRecommended Action: Verify that the directory number(s) on the device itself match the directory number(s) that are configured for that device in Cisco Unified CM Administration. Also, confirm that database replication is working. To do so, check the Unified CM Database Status report in Cisco Unified Reporting to verify that database replication is working. You can also go to Real-Time Reporting Tool (RTMT) and check the Replication Status in the Database Summary page. If status shows 2, then replication is working. Refer to the reason code definitions for additional recommended actions.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "JUE8OQFMJHAS9KJA16730142990472LMS1HNPWMJ033",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPLineRegistrationError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "F7NSGG1KUUQAJJJ01673014299047B1JGXH8968ATBY"
}
]
},
{"rule_definition_id": "FTANF70BBYTLOXA116730142990472JTR9L7U4P3L8N",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F7NSGG1KUUQAJJJ01673014299047B1JGXH8968ATBY"
}
]
}
]
},
{"correlation_rule_id": "YJ2PIO9SC9IXDS1S16730142990474VCRCPLV8MSMOD",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50516 (H323Started)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM is ready to handle calls for the indicated H.323 device.\nExplanation: Cisco Unified Communications Manager (Unified CM) is ready to communicate with the indicated H.323 device. Note that this alarm describes the readiness of Unified CM to communicate with the indicated device but does not provide information about the state of the H.323 device (whether it is ready to communicate as well).\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "H5PNUHEO5C66JC641673014299047VAVDX7BAAKVN7E",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(H323Started)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YJ2PIO9SC9IXDS1S16730142990474VCRCPLV8MSMOD"
}
]
},
{"rule_definition_id": "O7WOP8GH268TS6UP1673014299047NVSRGY54TJ0YTG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YJ2PIO9SC9IXDS1S16730142990474VCRCPLV8MSMOD"
}
]
}
]
},
{"correlation_rule_id": "O3PL7FQ2AANGP7V11673014299047K9Y7DNI537YNX0",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50517 (H323Stopped)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM is not ready to handle calls for the indicated H.323 device.\nExplanation: Unified CM is not ready to handle calls for the indicated H.323 device. This could be due to Unified CM being unable to resolve the gateway name to IP address. For trunks, this alarm should only occur when a system administrator has made a configuration change such as resetting the H.323 trunk. For H.323 clients, this alarm occurrence is normal on lower-priority Unified CM nodes when a high-priority Unified CM node starts.\nRecommended Action: If the service was stopped intentionally, no action is required. Check the domain name system (DNS) configuration for any errors in the gateway name or IP address and correct.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "L89FNYA310IIB3LP16730142990472XNJD2OSF444XE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(H323Stopped)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "O3PL7FQ2AANGP7V11673014299047K9Y7DNI537YNX0"
}
]
},
{"rule_definition_id": "AWEBDK9U6YOADVVD1673014299047XXXP2R8SVY8A75",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "O3PL7FQ2AANGP7V11673014299047K9Y7DNI537YNX0"
}
]
}
]
},
{"correlation_rule_id": "YPKPSRLHQROK4CWT1673014299047Y7004W51GM77O8",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50518 (SIPStarted)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM is ready to handle calls for the indicated SIP device.\nExplanation: Unified CM is ready to handle calls for the indicated SIP device. This alarm does not indicate the current state of the SIP device, only that Unified CM is prepared to handle calls to/from the SIP device.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "B3I6Q7UOFD956DBO167301429904862OHGKXYDDOF60",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPStarted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YPKPSRLHQROK4CWT1673014299047Y7004W51GM77O8"
}
]
},
{"rule_definition_id": "A6D5RDOPB2NKCJ5N16730142990483SRS9KB4OV9S2R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YPKPSRLHQROK4CWT1673014299047Y7004W51GM77O8"
}
]
}
]
},
{"correlation_rule_id": "FBAPOER4MGFS48EA1673014299048UO3VU9E8HH3ARE",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50519 (SIPStopped)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM is not ready to handle calls for the indicated SIP device.\nExplanation: Unified CM is not ready to handle calls for the indicated SIP device. Possible reasons could be internal database error, the SIP device is not activated on this node, the SIP device failed to register, or the SIP device was deleted from Cisco Unified CM Administration.\nRecommended Action: This alarm doesn't necessarily mean an error. It could occur as a result of normal administrative changes. If the alarm is unexpected, check whether the StationPortInitError alarm also fired. Check the Device Pool assigned to the SIP device identified in this alarm to ensure that the Cisco Unified Communications Manager Group of the Device Pool includes the Unified CM node that issued the alarm.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "O15N037Y6HSBQ5291673014299048FD54H58NY2I9S6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPStopped)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FBAPOER4MGFS48EA1673014299048UO3VU9E8HH3ARE"
}
]
},
{"rule_definition_id": "R3UTU9YR97QPPC061673014299048UVVWNCO9S0HR5Y",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FBAPOER4MGFS48EA1673014299048UO3VU9E8HH3ARE"
}
]
}
]
},
{"correlation_rule_id": "R0BGN6FK81OPLY2B16730142990489HK0HUID4L7FVD",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50520 (SIPNormalizationScriptOpened)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has opened the script for this device.\nExplanation: The normalization script for the indicated SIP device has been successfully loaded, initialized, and is active on Unified CM.\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "CF8U7FV73JT0LD0E1673014299048FT0XH3HLXPANVD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationScriptOpened)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "R0BGN6FK81OPLY2B16730142990489HK0HUID4L7FVD"
}
]
},
{"rule_definition_id": "B38Q1FHSUBPYCEVR16730142990485XFNJYR1ECH1CB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "R0BGN6FK81OPLY2B16730142990489HK0HUID4L7FVD"
}
]
}
]
},
{"correlation_rule_id": "PH51C0KC0CB3GVO91673014299048F2DVE7E578XOAT",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50521 (SIPNormalizationScriptClosed)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has closed (disabled) the script for this device.\nExplanation: Unified CM closed the script either because the indicated device (SIP trunk) was reset manually or automatically, the trunk was deleted, or because of a script error or resource error, or because of an internal error. When the script is closed, Unified CM is not invoking normalization script message handlers for the indicated SIP device.\nRecommended Action: This alarm serves as notification of the script closure if the alarm occurred due to a SIP trunk maintenance window or some other expected reason for the script to close. If this alarm is unexpected, check for an occurrence of the SIPNormalizationScriptError alarm and refer to the specific action based on the reason code identified in that alarm.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "N0AARYTO8V9CR6HX1673014299048C4XTIAS1EBVAN7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationScriptClosed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "PH51C0KC0CB3GVO91673014299048F2DVE7E578XOAT"
}
]
},
{"rule_definition_id": "B71BNML9MUD7T8VF1673014299048CCW8MOH1RYCNJJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "PH51C0KC0CB3GVO91673014299048F2DVE7E578XOAT"
}
]
}
]
},
{"correlation_rule_id": "F7N93UCQCC52MWXS16730142990485P615XJ6DPLU5X",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50522 (SIPNormalizationScriptError)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A script error occurred.\nExplanation: Unified CM encountered an error during loading, initializing, or during execution of the SIP normalization script for the indicated SIP device. If the error was due to a resource issue, the SIPNormalizationResourceWarning alarm will also be issued. The Configured Action shown in this alarm may differ from the Resulting Action shown in this alarm because certain errors, such as those occurring during loading or initialization, cannot be configured. If the script closes three times within a 10-minute window due to errors, Unified CM will follow the configured action three times; on the fourth occurrence of the error, Unified CM disables the script and issues the SIPNormalizationAutoResetDisabled alarm.\nRecommended Action: Examine SDI trace files for details regarding the error such as function calls and the call ID which may help provide details that assist with troubleshooting the error. Examine the script for syntax or logic errors; for scripts provided by Cisco, contact the Cisco Technical Assistance Center (TAC). If the error was due to a resource issue, the SIPNormalizationResourceWarning alarm will also be issued. Check that alarm for additional information and recommended actions.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "BXP1H43PY1IF0GIV1673014299048W2A5DEUH0SF7YJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationScriptError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "F7N93UCQCC52MWXS16730142990485P615XJ6DPLU5X"
}
]
},
{"rule_definition_id": "BS2KAIDQ9RLY81MI1673014299048VHL47Q2WQHURBM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F7N93UCQCC52MWXS16730142990485P615XJ6DPLU5X"
}
]
}
]
},
{"correlation_rule_id": "XOGMOW11Q5OYRSYX1673014299048BOOY3BOHQ4W80P",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50523 (SIPNormalizationResourceWarning)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The script has exceeded an internal resource threshold and may be in danger of closing.\nExplanation: The normalization script for the indicated SIP device has exceeded an internal threshold for resource consumption. This alarm can occur for memory consumption or when the script is close to exceeding the configured allowance of Lua instructions. When the amount of memory (as defined in the Memory Threshold field) or the number of Lua instructions utilized by this script (as defined by the Lua Instruction Threshold) exceeds an internal threshold, this alarm is triggered. For example, if the Memory Threshold is set to 100 kb and the internal threshold is 80%, this alarm will occur when this script has consumed 80 kb of memory. The internal threshold is not configurable and may fluctuate from Unified CM release to release. Another example: if the Lua Instruction Threshold is set to 2000 and the internal threshold is 50%, this alarm occurs when the script has executed 1000 Lua instructions. This alarm serves as a warning that resources (either memory or Lua instructions) have passed an internal mark where investigation into the consumption of those resources may be advisable to ensure the health of the script. Investigate and correct the resource issue before the script closes. When the values that have been configured in the fields, Memory Threshold field and/or Lua Instruction Threshold on the SIP Normalization Script Configuration window are met, the script closes and the SIPNormalizationScriptClosed alarm also occurs. For additional information when troubleshooting, check the SIP Normalization counter, MemoryUsagePercentage to learn the current resource usage.\nRecommended Action: Examine the thresholds (Memory Threshold and Lua Instruction Threshold) configured in the SIP Normalization Script Configuration window and evaluate if those thresholds can be increased (take into consideration the CPU resources and memory when deciding to increase these values) or examine the script to determine if the message handlers can be written more efficiently to reduce the number of instructions in the script. Examine the script for logic errors. If the script is otherwise functioning normally but contains extensive logic, consider increasing the value in the Lua Instruction Threshold field. Be aware that more computing resources will be consumed as a result. You can also examine SDI trace files for additional details about this resource condition. For scripts provided by Cisco, contact the Cisco Technical Assistance Center (TAC).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "B59F32MKO50FRQHM1673014299048GIGEFGSD7VOFTH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationResourceWarning)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XOGMOW11Q5OYRSYX1673014299048BOOY3BOHQ4W80P"
}
]
},
{"rule_definition_id": "QWTT3G9GCL19LCY71673014299048CU2NV426V51F0S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XOGMOW11Q5OYRSYX1673014299048BOOY3BOHQ4W80P"
}
]
}
]
},
{"correlation_rule_id": "P3NKR4RWB4JKXM141673014299048FHXDYH43VG4IC0",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50524 (SIPNormalizationAutoResetDisabled)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "An error has occurred repeatedly and Unified CM disabled the script.\nExplanation: The script failed due to execution errors three times within a 10 minute period. As a result, the normalization script for the indicated SIP device has been disabled. Unified CM is no longer attempting to automatically reset either the script or the device for the purposes of recovering the script.\nRecommended Action: Notification purposes; examine the information and perform the recommended actions in the SIPNormalizationScriptError alarm, which should have been issued prior to this alarm.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "UIGIX63GLEXRJ5C01673014299048MOLP6USRH86IIB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationAutoResetDisabled)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P3NKR4RWB4JKXM141673014299048FHXDYH43VG4IC0"
}
]
},
{"rule_definition_id": "SVHUC9VGF3SOEQC71673014299048NNH9C4OGEUWQJB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P3NKR4RWB4JKXM141673014299048FHXDYH43VG4IC0"
}
]
}
]
},
{"correlation_rule_id": "FL82HMVUDGJX8JGY16730142990489LPQ3MG59F8PHD",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50525 (SIPTrunkISV)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "All remote peers are available to handle calls for this SIP trunk.\nExplanation: All remote peers are available to handle calls for this SIP trunk. This alarm specifies the available remote peers for this SIP trunk; each peer is identified by resolved IP address and port number, and hostname or SRV if configured on SIP trunk.\nRecommended Action: Notification purpose only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "RDELEKFFRQV7T18G1673014299048UPPV678U4DLCTT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPTrunkISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FL82HMVUDGJX8JGY16730142990489LPQ3MG59F8PHD"
}
]
},
{"rule_definition_id": "TJJN9EO6FPX2UHQM1673014299048M93QTN1X616MX9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FL82HMVUDGJX8JGY16730142990489LPQ3MG59F8PHD"
}
]
}
]
},
{"correlation_rule_id": "FWW5NUCFIXDVGG1D1673014299048IFF5LGKP6XJT77",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50526 (SIPTrunkOOS) -SERVICE IMPACTING",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "All remote peers are out of service and unable to handle calls for this SIP trunk.\nExplanation: All remote peers for this SIP trunk are out of service and unable to handle calls. This alarm provides the reason code received by the SIP trunk in response to an Options request sent to the remote peer. The list of unavailable remote peers is provided in this alarm and each peer is separated by semi-colon. For each peer, the alarm provides the hostname or SRV (if configured on SIP trunk), resolved IP address, port number, and reason code in the following format: ReasonCodeType=ReasonCode. ReasonCodeType could be based on a SIP response from the remote peer as defined in SIP RFCs (Remote) or based on a reason code provided by Unified CM (Local). Examples of possible reason codes include Remote=503 (\"503 Service Unavailable\" a standard SIP RFC error code), Remote=408 (\"408 Request Timeout\" a standard SIP RFC error code), Local=1 (request timeout), Local=2 (local SIP stack is not able to create a socket connection with the remote peer), Local=3 (DNS query failed). For Local=3, IP address in Alarm will be represented as \"0\" and when dns srv is configured on SIP trunk then port will be represented as \"0\".\nRecommended Action: For Remote=503, possible reasons include 1) route/sip trunk for originating side doesn't exist on remote peer; 2) route/sip trunk for originating side does exist on the remote peer but the port is either used for a SIP phone or a different sip trunk; 3) the remote peer has limited resources and may not be able to handle new calls. For the first cause (item 1), if the remote peer is Unified CM, add a new SIP trunk in Unified CM Administration for the remote peer (Device > Trunk) and make certain that the Destination Address and Destination Port fields are configured to point to the originating host (the originating host is the same node on which this alarm was generated). Also ensure the new SIP trunk has the incoming port in associated SIP Trunk Security Profile configured to be same as originating side SIP Trunk destination port. For the second cause (item 2), if the remote peer is Unified CM, then in Unified CM Administration for the remote peer (Device > Trunk) make certain that incoming port in associated SIP Trunk Security Profile is configured to be same as originating side SIP Trunk destination port. For the third cause (item 3), if the remote peer is administered by a different system administrator, consider communicating the resource issue with the other administrator. For remote=408, possible reason includes remote is running low in resources and unable to process the request. If the remote peer is administered by a different system administrator, consider communicating the resource issue with the other administrator. For Local=1, possible reason could be that no responses has been received for Options request after all retries when transport is configured as UDP in SIP trunk Security Profile assigned to the SIP trunk on originating side. To fix this issue, if the remote peer is Unified CM, then go to remote peer Serviceability web page and then Tools -> Control Center (Feature Services) and make sure Cisco Call Manager service is activated and started. Also, go to remote peer admin web page and then to Device -> Trunk and do a find and make sure that there is a SIP trunk exist with incoming port in associated SIP Trunk security profile configured to be same as what is configured on originating side SIP Trunk destination port. Also, check the network connectivity using the CLI command \"utils network ping remote_peer\" at originating side. For Local=2, possible reason could be that Unified CM is not be able to create socket connection with remote peer. To fix this issue, if remote peer is Unified CM, then go to remote peer Serviceability web page and then Tools -> Control Center (Feature Services) and make sure Cisco Call Manager service is activated and started. Also, go to remote peer admin web page and then to Device -> Trunk and do a find and make sure that there is a SIP trunk exist with incoming port in associated SIP Trunk security profile configured to be same as what is configured on originating side SIP Trunk destination port. Also, check the network connectivity using \"utils network ping remote_peer\" at originating side. For Local=3, possible reason could be DNS server is not reachable or DNS is not properly configured to resolve hostname or SRV which is configured on local SIP trunk. To fix this issue, go to OS Administration web page and go to Show -> Network and look into DNS Details and make sure it is correct. If not then configure correct DNS server information using CLI \"set network dns primary\" command. Also, check the network connectivity with DNS server using \"utils network ping \"remote_peer\" and make sure DNS server is properly configured.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "FVTF2H41GDAY56DH1673014299048O5LUKAH9K0BTSX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPTrunkOOS)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FWW5NUCFIXDVGG1D1673014299048IFF5LGKP6XJT77"
}
]
},
{"rule_definition_id": "U1JUEA0NNWBF9R4E1673014299048WPHN14CD048RL8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FWW5NUCFIXDVGG1D1673014299048IFF5LGKP6XJT77"
}
]
}
]
},
{"correlation_rule_id": "J30IA4NNYPOYND3W16730142990486N6BG77WTKGLJR",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50527 (SIPTrunkPartiallyISV)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Some of the remote peers are not available to handle calls for this SIP Trunk.\nExplanation: Some of the remote peers are not available to handle calls for this SIP trunk. This alarm provides a list of available remote peers and a list of unavailable remote peers and each peer is separated by semi-colon. Each available peer is identified by resolved IP address and port number, and hostname or SRV (if configured on SIP trunk). In the case of unavailable peers, the alarm provides the hostname or SRV (if configured on SIP trunk), resolved IP address, port number, and reason code in the following format: ReasonCodeType=ReasonCode. ReasonCodeType could be based on a SIP response from the remote peer as defined in SIP RFCs (Remote) or based on a reason code provided by Unified CM (Local). Examples of possible reason codes include Remote=503 (\"503 Service Unavailable\" a standard SIP RFC error code), Remote=408 (\"408 Request Timeout\" a standard SIP RFC error code), Local=1 (request timeout), Local=2 (local SIP stack is not able to create a socket connection with the remote peer), Local=3 (DNS query failed). For Local=3, IP address in Alarm will be represented as \"0\" and when dns srv is configured on SIP trunk then port will be represented as \"0\".\nRecommended Action: Available peer list is for notification purpose only; no action is required. For each unavailable peer, complete the following steps depending on the reason code provided in this alarm. For Remote=503, possible reasons include 1) route/sip trunk for originating side doesn't exist on remote peer; 2) route/sip trunk for originating side does exist on the remote peer but the port is either used for a SIP phone or a different sip trunk; 3) the remote peer has limited resources and may not be able to handle new calls. For the first cause (item 1), if the remote peer is Unified CM, add a new SIP trunk in Unified CM Administration for the remote peer (Device > Trunk) and make certain that the Destination Address and Destination Port fields are configured to point to the originating host (the originating host is the same node on which this alarm was generated). Also ensure the new SIP trunk has the incoming port in associated SIP Trunk Security Profile configured to be same as originating side SIP Trunk destination port. For the second cause (item 2), if the remote peer is Unified CM, then in Unified CM Administration for the remote peer (Device > Trunk) make certain that incoming port in associated SIP Trunk Security Profile is configured to be same as originating side SIP Trunk destination port. For the third cause (item 3), if the remote peer is administered by a different system administrator, consider communicating the resource issue with the other administrator. For remote=408, possible reason includes remote is running low in resources and unable to process the request. If the remote peer is administered by a different system administrator, consider communicating the resource issue with the other administrator. For Local=1, possible reason could be that no responses has been received for Options request after all retries when transport is configured as UDP in SIP trunk Security Profile assigned to the SIP trunk on originating side. To fix this issue, if the remote peer is Unified CM, then go to remote peer Serviceability web page and then Tools -> Control Center (Feature Services) and make sure Cisco Call Manager service is activated and started. Also, go to remote peer admin web page and then to Device -> Trunk and do a find and make sure that there is a SIP trunk exist with incoming port in associated SIP Trunk security profile configured to be same as what is configured on originating side SIP Trunk destination port. Also, check the network connectivity using the CLI command \"utils network ping remote_peer\" at originating side. For Local=2, possible reason could be that Unified CM is not be able to create socket connection with remote peer. To fix this issue, if remote peer is Unified CM, then go to remote peer Serviceability web page and then Tools -> Control Center (Feature Services) and make sure Cisco Call Manager service is activated and started. Also, go to remote peer admin web page and then to Device -> Trunk and do a find and make sure that there is a SIP trunk exist with incoming port in associated SIP Trunk security profile configured to be same as what is configured on originating side SIP Trunk destination port. Also, check the network connectivity using \"utils network ping remote_peer\" at originating side. For Local=3, possible reason could be DNS server is not reachable or DNS is not properly configured to resolve hostname or SRV which is configured on local SIP trunk. To fix this issue, go to OS Administration web page and go to Show -> Network and look into DNS Details and make sure it is correct. If not then configure correct DNS server information using CLI \"set network dns primary\" command. Also, check the network connectivity with DNS server using \"utils network ping \"remote_peer\" and make sure DNS server is properly configured.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "IA4SSRNN5JQA5HB31673014299048QS7YUAS9QWGF6M",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPTrunkPartiallyISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "J30IA4NNYPOYND3W16730142990486N6BG77WTKGLJR"
}
]
},
{"rule_definition_id": "EUIHKD16QXEWM2O61673014299048676AL312Q7Q1BL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "J30IA4NNYPOYND3W16730142990486N6BG77WTKGLJR"
}
]
}
]
},
{"correlation_rule_id": "CBAICTWK9P4POQIP1673014299048RMIAUFICY719F2",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50528 (ConnectionFailure)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM failed to open a TLS connection for the indicated device.\nExplanation: Unified CM failed to open a TLS connection for the indicated device because an incorrect Device Security Mode was configured or an incorrect X.509 Subject Name was configured, or due to an unsupported cipher algorithm.\nRecommended Action: Check the Security Profile of the indicated device. Make certain that Device Security Mode is set to either Authenticated or Encrypted. Make sure that the X.509 Subject Name field has the appropriate content; it should match the Subject Name in the certificate from the peer. Also, Unified CM only supports the AES_128_SHA cipher algorithm; let the peer regenerate its certificate with the correct algorithm.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "F1HAKY5H2I3FULNK16730142990483Y2YYWMVNT4F66",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConnectionFailure)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CBAICTWK9P4POQIP1673014299048RMIAUFICY719F2"
}
]
},
{"rule_definition_id": "KH5NNFA2EEXUVFTL1673014299048IQDI2J6AQ8CRJX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CBAICTWK9P4POQIP1673014299048RMIAUFICY719F2"
}
]
}
]
},
{"correlation_rule_id": "VCYEJAM21QWWG51W1673014299048S0QHSTATQ9A4QC",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50529 (MediaResourceListExhausted)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The requested device type is not found in the media resource list or default list or the configured devices are not registered.\nExplanation: The requested device is not configured in the Media Resource Group List or Default List, or it's possible that one or more of the devices that are configured in the Media Resource Group List or Default List are not registered to Cisco Unified Communications Manager.\nRecommended Action: First, go to Cisco Unified CM Administration to check the configuration of the devices that are part of the Media Resource Groups in the Media Resource Group List that was specified in the alarm (Media Resource Group List Configuration window and Media Resource Group Configuration window in Unified CM Administration). Check whether the requested type of device is configured in any of the Media Resource Groups in that particular Media Resource Group List; for RSVP Agent, check whether any media termination point or transcoder is configured in any of the Media Resource Groups in that particular Media Resource Group List. Next, go to the Media Resources menu in Cisco Unified CM Administration to see all the devices of the requested type and then check all the Media Resource Groups (irrespective of whether they belong to the Media Resource Group List for which the alarm is generated) to determine whether the devices belong to at least one Media Resource Group. If there exists some media resources of the requested type which do not belong to any Media Resource Groups, then these devices will belong to the Default List. If the requested type of device is not configured in any of the Media Resource Groups of the Media Resource Group List for which the alarm is generated or in the Default List, add the requested type of device to a Media Resource Group in the specified Media Resource Group List or add it to the Default List. To add a media resource to the Default List, remove the Media Device from all the Media Resource Groups. In general, when a new media device is initially added to Unified CM it will automatically be added to the Default List. This Default List can be used by any device or trunk. But when the media device is added to any particular Media Resource Group it will not be available to the Default List. It can only be used by devices and trunks that are configured with the Media Resource Group List that have that particular Media Resource Group. Note that a particular Media Resource Group can be added to multiple Media Resource Group Lists. If the requested device is properly configured in Cisco Unified CM Administration, check whether the device is registered to Unified CM. To do that go to the Media Resources menu of the requested type of device (such as Annunciator or Conference Bridge or Media Termination Point or Music On Hold Server or Transcoder) and click the Find button. All the devices of that type will display along with their status, device pool, and so on. Check the status field to see whether the device is registered with Unified CM. Note that the display on the status field is not a confirmation that the device is registered to Unified CM. It may happen in a Unified CM cluster that the Publisher can only write to the Unified CM database and suppose the Publisher goes down. Because the Subscriber may not be able to write to the database the devices may still display as registered in Unified CM Administration after they are actually unregistered. However, if the Publisher is down that should generate another alarm with higher priority than this alarm. If the device is not registered, click on the name of that particular device and check the type of the device. Device types including Cisco Conference Bridge Software, Cisco Media Termination Point Software, or that specify a server name that is the same name as a Unified CM node of the cluster indicate that the requested device is a software device and is part of the Cisco IP Voice Media Streaming application. Check to be sure that the IP Voice Media Streaming App service is enabled on that Unified CM node (Cisco Unified Serviceability > Tools > Service Activation) and if it is not enabled, activate the Cisco IP Voice Media Streaming App service. Devices should try to register. You can also check the status of the service to be sure it is showing as Started (Tools > Control Center > Feature Services). If the device type is a type other than Cisco Conference Bridge Software, Cisco Media Termination Point Software, or a server name that is the same name as a Unified CM node, that indicates that the device is an external media resource to Unified CM. Check the configuration (such as Conference Bridge type, MAC address, and conference bridge name in the case of a conference bridge; Media Termination Point name in the case of a Media Termination Point; Transcoder type, MAC address, and Transcoder name in the case of a Transcoder) of the device in Cisco Unified CM Administration and compare it with the configuration of the actual device. To check the configuration of the actual device you may need to refer to the user manual of the media device. The user manual should provide all the details such as connecting to the media device to check the configuration, commands needed to view and update the configuration, and so on. If configuration in Unified CM and on the actual devices are different, make the necessary changes so that the configurations match. If the configuration matches and the device is still not registered, restart the external media device or the service associated with the external media device. If the external media device continues to fail to register with Unified CM, check the network connectivity between Unified CM and the media device.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "SIH2XTEU9V00TLEO1673014299048TYAG1O83W41UWS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MediaResourceListExhausted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "VCYEJAM21QWWG51W1673014299048S0QHSTATQ9A4QC"
}
]
},
{"rule_definition_id": "T4UW96DY8HHC8BX21673014299048X9M0IK06V6YMCK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "VCYEJAM21QWWG51W1673014299048S0QHSTATQ9A4QC"
}
]
}
]
},
{"correlation_rule_id": "SLIBAGA8UQ6MH4CE1673014299048PX968FMK6G55WL",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50530 (RouteListExhausted)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "An available route could not be found in the indicated route list.\nExplanation: An available route could not be found in the indicated route list. This alarm is generated when all members' status is unavailable or busy or when the member is down (out of service), not registered, or busy.\nRecommended Action: Consider adding additional routes in the indicated route list. For shared line when some phones are not ringing, check the busy trigger and maximum call settings of shared line phones; check whether there are some outstanding calls on that DN. When one shared line phone answers an incoming call, the other shared line phone cannot see that remote-in-use call; check the privacy setting of the phone that answers the call. Try to make a call directly to the member, bypassing the route list, to verify that there is not a device or connectivity issue. If you cannot identify the cause through these steps, gather the CCM (SDI) trace and contact the Cisco Technical Assistance Center; TAC may be able to locate a cause code which may provide additional explanation for this alarm.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "EYLYCCAEXJLMKYOK1673014299048MS5Y6PRQ9EPH9K",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RouteListExhausted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "SLIBAGA8UQ6MH4CE1673014299048PX968FMK6G55WL"
}
]
},
{"rule_definition_id": "JHNWJL0ESG1NPAPB16730142990489CD0T93K2LUYLW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SLIBAGA8UQ6MH4CE1673014299048PX968FMK6G55WL"
}
]
}
]
},
{"correlation_rule_id": "P1QEK03QHVP45DPI16730142990487F7S7SUYR05WSI",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50531 (HuntListExhausted)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "An available line could not be found in the indicated hunt list.\nExplanation: An available line could not be found in the indicated hunt list. This alarm is generated when all members' status is unavailable or busy or when the member is down (out of service), not registered, or busy.\nRecommended Action: Consider adding additional lines in the indicated hunt list. Check whether there are some outstanding calls on the line. Try to make a call directly to the members, bypassing the hunt list, to verify that there is no device or connectivity issue. If you cannot identify the cause through these steps, gather the CCM (SDI) trace and contact the Cisco Technical Assistance Center; TAC may be able to locate a cause code which may provide additional explanation for this alarm.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "K4YQV4JE4NJJ25JT1673014299048CYVDTSOB35PWJM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(HuntListExhausted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P1QEK03QHVP45DPI16730142990487F7S7SUYR05WSI"
}
]
},
{"rule_definition_id": "D58G8JIYTOUEFP991673014299048K5QD6R9HV0DJUY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P1QEK03QHVP45DPI16730142990487F7S7SUYR05WSI"
}
]
}
]
},
{"correlation_rule_id": "R5JENBIIFM7GKGQM1673014299048BVKFX3TJ0IHET0",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50532 (DeviceTypeMismatch)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Device type mismatch between the information contained in the device's TFTP configuration file and what is configured in Unified CM Administration for that device.\nExplanation: The device type indicated in the device's configuration file does not match the database configuration. This could indicate that a change was made in the database configuration that failed to get updated at the device itself.\nRecommended Action: Check the Unified CM Database Status report in Cisco Unified Reporting to verify that database replication is working. You can also go to Real-Time Reporting Tool (RTMT) and check the Replication Status in the Database Summary page. If status shows 2, then replication is working. Restart the phone to download a new configuration file from TFTP.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "JSV6ERRYYTY6CXLI1673014299048P7V7RHPERNH3FX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceTypeMismatch)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "R5JENBIIFM7GKGQM1673014299048BVKFX3TJ0IHET0"
}
]
},
{"rule_definition_id": "QR2JGAX9GDR6VV7M16730142990487WGOQBHRQ5TSDN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "R5JENBIIFM7GKGQM1673014299048BVKFX3TJ0IHET0"
}
]
}
]
},
{"correlation_rule_id": "GLHTWPYIM2UDV4LR1673014299048TOQ2O4S86OSRWR",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50533 (DeviceDnInformation)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "List of directory numbers (DN) associated with this device.\nExplanation: Provides a list of directory numbers (DN) associated with the device.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "VVJLWUXU5I8JGJG91673014299048P9HNCK3SGGOLN8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceDnInformation)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GLHTWPYIM2UDV4LR1673014299048TOQ2O4S86OSRWR"
}
]
},
{"rule_definition_id": "CL09698FXYLCTSY21673014299048VK0MPDHR2PPEK5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GLHTWPYIM2UDV4LR1673014299048TOQ2O4S86OSRWR"
}
]
}
]
},
{"correlation_rule_id": "PXVI34C9IU48BHDA1673014299048V69RNA6PIB6G24",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50534 (StationConnectionError)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Station device is closing the connection.\nExplanation: A station device is closing its connection with Unified CM because of the reason that is described in this alarm.\nRecommended Action: Informational purposes only; no action is required. Also, refer to the reason code definition for additional information.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "QCBEQVBCILWFQ47S16730142990487OOS6S971AGX93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(StationConnectionError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "PXVI34C9IU48BHDA1673014299048V69RNA6PIB6G24"
}
]
},
{"rule_definition_id": "XVDE8N0GELLR82UL1673014299048FOSPWN9WAKCXFG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "PXVI34C9IU48BHDA1673014299048V69RNA6PIB6G24"
}
]
}
]
},
{"correlation_rule_id": "QY56VNBYJS3X4L911673014299048FTSG76B2EQLL4M",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50535 (StationAlarm)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A station has sent an alarm to Unified CM for pass-through purposes.\nExplanation: A station device sent an alarm to Unified CM, which acts as a conduit from the device to generate this alarm.\nRecommended Action: To determine the appropriate action, refer to the specific device type and information passed from the device via this alarm.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "WPDOP84XXIHLJDP416730142990486P6JF2MD0NQEP0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(StationAlarm)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QY56VNBYJS3X4L911673014299048FTSG76B2EQLL4M"
}
]
},
{"rule_definition_id": "HRW5GEWV1IBNEFDA1673014299048WDPA1XWLAB9DWV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QY56VNBYJS3X4L911673014299048FTSG76B2EQLL4M"
}
]
}
]
},
{"correlation_rule_id": "KSBQPWTRIC4ONIMW1673014299048G4CLCUD2AO5KIC",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50536 (StationEventAlert)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A station sent an alert to Unified CM for pass-through purposes.\nExplanation: A station device sent an alert to Unified CM, which acts as a conduit from the device to generate this alarm.\nRecommended Action: To determine the appropriate action, refer to the specific device type and information passed from the device via this alarm.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "OQJT57JIT69M3T6P1673014299048UVHUL7NOLAETXN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(StationEventAlert)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "KSBQPWTRIC4ONIMW1673014299048G4CLCUD2AO5KIC"
}
]
},
{"rule_definition_id": "RLIX4KG700Y0CAVD16730142990480IL4X7ROBHDNOD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "KSBQPWTRIC4ONIMW1673014299048G4CLCUD2AO5KIC"
}
]
}
]
},
{"correlation_rule_id": "QW3QTHK4C5CMUFGX1673014299048YTFTDDF6PX0GGQ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50537 (MGCPGatewayGainedComm)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "MGCP communication to the gateway has been established.\nExplanation: The MGCP gateway has established communication with Unified CM.\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "JIHWRG6ARBHY1TVM1673014299048IWEKL2J7PIPMN8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MGCPGatewayGainedComm)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QW3QTHK4C5CMUFGX1673014299048YTFTDDF6PX0GGQ"
}
]
},
{"rule_definition_id": "FPN1QKN9EA4KG4JY167301429904836R6S5XJDEOVEY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QW3QTHK4C5CMUFGX1673014299048YTFTDDF6PX0GGQ"
}
]
}
]
},
{"correlation_rule_id": "GEFVN0H58T5OY0HL16730142990482KEJYGIL8HFF0Q",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50538 (MGCPGatewayLostComm) - SERVICE IMPACTING",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "MGCP gateway has lost communication with Unified CM.\nExplanation: The MGCP gateway is no longer in communication with Unified CM. This could occur because Unified CM received an MGCP unregister signal from the gateway such as RSIP graceful/forced; Unified CM didn't receive the MGCP KeepAlive signal from the gateway; the MGCP gateway didn't response to an MGCP command sent by Unified CM three times; a speed and duplex mismatch exists on the Ethernet port between Unified CM and the MGCP gateway; or the gateway has reset.\nRecommended Action: Reset the MGCP gateway in an attempt to restore communication with Unified CM; check the speed and duplex settings on the Ethernet port. In the case of an unwanted reset of the gateway which caused communication to be lost, take precautions to ensure that no unauthorized personnel resets the gateway from Cisco Unified CM Administration or via the gateway terminal.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "W8QAV90CXG6JXQMU16730142990483OIU2N8FJRVNO8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MGCPGatewayLostComm)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GEFVN0H58T5OY0HL16730142990482KEJYGIL8HFF0Q"
}
]
},
{"rule_definition_id": "AV3II069PMPCKTC41673014299048VWBT24MDFIMKCI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GEFVN0H58T5OY0HL16730142990482KEJYGIL8HFF0Q"
}
]
}
]
},
{"correlation_rule_id": "UKS6IOSP3XRKIPTK1673014299048176OWL7WIRAF6E",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50539 (StationPortInitError)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Station TCP initialization error.\nExplanation: An error during initialization was encountered.\nRecommended Action: Verify that the Cisco Unified Communications Manager IP address is configured and is not configured as the loop back address for the IP version. Check the SCCP TCP port configuration to be sure the SCCP TCP port is accurately configured (be certain that there are no port conflicts where another port has the same number). If the IP and port settings are correct, collect SDL and SDI traces and contact the Cisco Technical Assistance Center (TAC).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "BIOXTKEB8H8XMU1F167301429904842ATRFXOWPSJFL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(StationPortInitError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "UKS6IOSP3XRKIPTK1673014299048176OWL7WIRAF6E"
}
]
},
{"rule_definition_id": "MAIRU07O6BPAMS5F1673014299048DTINAX46E377MP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "UKS6IOSP3XRKIPTK1673014299048176OWL7WIRAF6E"
}
]
}
]
},
{"correlation_rule_id": "ND75Y7SHRRG0AI9U1673014299048W9TENEL20EUH7W",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50540 (DbInfoError)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Configuration information may be out of sync for the device and Unified CM database.\nExplanation: Configuration information may be out of sync for the device and Unified CM database.\nRecommended Action: Go to Unified CM Administration and confirm that the device specified in this alarm actually exists in the database. If it does not, add the device. If the device is found in Unified CM Administration, examine the device information on the Device Configuration page for this device to make certain that important device information such as MAC address, device name, device pool configuration, and so on are configured accurately. If you find a discrepancy, correct it and reset the device",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "U09CIBV3P8PMWDTY16730142990482J1BMY1BKT4D4I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DbInfoError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "ND75Y7SHRRG0AI9U1673014299048W9TENEL20EUH7W"
}
]
},
{"rule_definition_id": "K2OFCK1KD41D2UMS1673014299048346IQP0YYBDK0K",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "ND75Y7SHRRG0AI9U1673014299048W9TENEL20EUH7W"
}
]
}
]
},
{"correlation_rule_id": "VXCBHUE1EMEE0A3D167301429904807MQJNUJSAGWCY",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50541 (DbInfoTimeout)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM did not receive a timely response from the database.\nExplanation: Unified CM requested information about the device specified in this alarm but the Unified CM Administration database did not respond before the internally-configured wait timer in Unified CM expired. Delays can occur because of congestion in accessing the database.\nRecommended Action: Go to the Cisco Unified Reporting web page, generate a Unified CM Database Status report and verify that the report shows that \"Local and publisher databases are accessible\" and that \"all servers have a good replication status\". If database status and DB replications look good, the database may be busy with auto-registrations or other intensive tasks. If you know that auto-registration is proceeding for a large number of devices, wait for it to complete (you can also monitor by watching the CPU level on the database server) and allow the phone to attempt to auto-register again.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "PU1RF0A9OP0RWC5E1673014299048QG3JEXY5QC0HS4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DbInfoTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "VXCBHUE1EMEE0A3D167301429904807MQJNUJSAGWCY"
}
]
},
{"rule_definition_id": "NEU70F57XEY7LC7T167301429904878K3EVJWTA6S0X",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "VXCBHUE1EMEE0A3D167301429904807MQJNUJSAGWCY"
}
]
}
]
},
{"correlation_rule_id": "IYDAKKXBATYNL6IB1673014299048LA7N861EEEBAED",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50542 (DbInfoCorrupt)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Configuration information may be out of sync for the device and Unified CM database.\nExplanation: Configuration information may be out of sync for the device and Unified CM database.\nRecommended Action: Go to Unified CM Administration and confirm that the device specified in this alarm actually exists in the database. If it does not, add the device. If the device is found in Unified CM Administration, examine the device information on the Device Configuration page for this device to make certain that important device information such as MAC address, device name, device pool configuration, and so on are configured accurately. If you find a discrepancy, correct it and reset the device.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "XDYCK5CI1CDP3QCR16730142990484T0Y166OOVA6BH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DbInfoCorrupt)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "IYDAKKXBATYNL6IB1673014299048LA7N861EEEBAED"
}
]
},
{"rule_definition_id": "X0QW3U2L0NSTY0T91673014299048EEU9V7RXSY9TUN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "IYDAKKXBATYNL6IB1673014299048LA7N861EEEBAED"
}
]
}
]
},
{"correlation_rule_id": "CQRWNU6FEIUFS0IM1673014299048HTCNMWV7OGCAL5",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50543 (NotEnoughChans)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Not enough channels.\nExplanation: A call attempt was rejected because the requested gateway channel(s) could not be allocated. Some of the more common reasons for the lack of channel to place outgoing calls include: High call traffic volume that has the B-channels in the device fully utilized; B-channels have gone out of service for the following reasons: Taking the channel out of service intentionally to perform maintenance on either the near- or far-end; MGCP gateway returns an error code 501 or 510 for a MGCP command sent from Cisco Unified Communications Manager; MGCP gateway doesn't respond to an MGCP command sent by Unified CM three times; a speed and duplex mismatch exists on the Ethernet port between Unified CM and the MGCP gateway.\nRecommended Action: Add more gateway resources; Check the Cisco CallManager advanced service parameter, Change B-channel Maintenance Status to determine if the B-channel has been taken out of service intentionally; Check the Q.931 trace for PRI SERVICE message to determine whether a PSTN provider has taken the B-channel out of service; Reset the MGCP gateway; Check the speed and duplex settings on the Ethernet port.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "YP4M4UB1YO2JVU3T16730142990484LE273ARV3Q3SP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(NotEnoughChans)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CQRWNU6FEIUFS0IM1673014299048HTCNMWV7OGCAL5"
}
]
},
{"rule_definition_id": "C2XWWVEN1AG0XUCS1673014299048QCP7LT1O3QVVT1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CQRWNU6FEIUFS0IM1673014299048HTCNMWV7OGCAL5"
}
]
}
]
},
{"correlation_rule_id": "U45OWP7LB92BVFYU1673014299048W5LSFAIV71AG9B",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50544 (DeviceResetInitiated)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Device reset initiated on the specified device.\nExplanation: This alarm occurs when a device is reset via the Reset button in Cisco Unified CM Administration. Reset may cause the device to shut down and come back in service. A device can be reset only when it is registered with Unified CM.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "EDG9NAHTTPX5MJDU1673014299048VHU7HID1HCO6S5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceResetInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "U45OWP7LB92BVFYU1673014299048W5LSFAIV71AG9B"
}
]
},
{"rule_definition_id": "HUAMTHBVO3I45MH21673014299048L6KADD4WEGE42C",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "U45OWP7LB92BVFYU1673014299048W5LSFAIV71AG9B"
}
]
}
]
},
{"correlation_rule_id": "K3RCH55VKYXKD8261673014299048JLHT4EDLO5WWEV",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50545 (EndPointResetInitiated)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Endpoint reset initiated on the specified endpoint.\nExplanation: This alarm occurs when a device is reset via the Reset button in Cisco Unified CM Administration. Reset causes the device to shut down and come back in service. A device can be reset only when it is registered with Unified CM.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "Q8HYQXS8UC43BY9I1673014299048U97KH7THRFOBRR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointResetInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "K3RCH55VKYXKD8261673014299048JLHT4EDLO5WWEV"
}
]
},
{"rule_definition_id": "QPKOFW6NJ4T8Y76U16730142990488U78LW6TO3E6NS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "K3RCH55VKYXKD8261673014299048JLHT4EDLO5WWEV"
}
]
}
]
},
{"correlation_rule_id": "C35KUWEVMT3T28CD1673014299048Q3QKOR80G0U1PP",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50546 (DeviceRestartInitiated)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Device restart initiated or Apply Config initiated on the specified device.\nExplanation: This alarm occurs when a device is restarted via the Restart button in Cisco Unified CM Administration window or when a system administrator presses the Apply Config button for a device that does not support conditional restart. Restart causes the device to unregister, receive updated configuration, and re-register with Cisco Unified Communications Manager (Unified CM) without shutting down. A device can be restarted only when it is registered with Unified CM.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "NILALPYV930JVI3V1673014299048IX3J6OW8HJV46I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceRestartInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "C35KUWEVMT3T28CD1673014299048Q3QKOR80G0U1PP"
}
]
},
{"rule_definition_id": "NUOVGQYD3OK37PP51673014299048UG1SJ2IJJT47J6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "C35KUWEVMT3T28CD1673014299048Q3QKOR80G0U1PP"
}
]
}
]
},
{"correlation_rule_id": "VTOYNYSQ73QR7UV816730142990489B9T7RLOSRXY81",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50547 (EndPointRestartInitiated)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Endpoint restart initiated or Apply Config initiated on the specified endpoint.\nExplanation: This alarm occurs when an endpoint is restarted via the Restart button in Cisco Unified CM Administration window or when a system administrator presses the Apply Config button for an endpoint that does not support conditional restart. Restart causes the endpoint to unregister, receive an updated configuration file, and re-register with Cisco Unified Communications Manager (Unified CM) without shutting down. An endpoint can be restarted only when it is registered with Unified CM.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "XCOWIKUKPSEJWF1V1673014299048NBSCAUX55QPB7S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointRestartInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "VTOYNYSQ73QR7UV816730142990489B9T7RLOSRXY81"
}
]
},
{"rule_definition_id": "QV2A2M91HP4SS6D61673014299048TF0VJ1PG76MLRU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "VTOYNYSQ73QR7UV816730142990489B9T7RLOSRXY81"
}
]
}
]
},
{"correlation_rule_id": "Y638LEG5M0JJRJH11673014299048M4DYPAX2DMV95Y",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50548 (DeviceApplyConfigInitiated)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "An Apply Config action was initiated by a system administrator for the specified device.\nExplanation: This alarm occurs when a system administrator presses the Apply Config button in Cisco Unified Communications Manager (Unified CM). The Apply Config button initiates a conditional restart on devices that support conditional restart. This button triggers the system to determine if any relevant configuration has changed for the device. If the configuration changes can be applied dynamically, they are made without service interruption. If a change requires that the device reregister with Unified CM, reregistration occurs automatically. If a change requires a restart, the device will be automatically restarted. If the load ID for a device changes, the device will initiate a background download of the new firmware. The new firmware can then be applied immediately or at a later time. For phones and devices that do not support conditional restart, clicking Apply Config causes these devices to restart.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "BH9282DY0V644S9916730142990481OAOJUJAQ97EIF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceApplyConfigInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "Y638LEG5M0JJRJH11673014299048M4DYPAX2DMV95Y"
}
]
},
{"rule_definition_id": "BWDCLOUFCRHK9XVV16730142990483PVO0NCAT6YWYL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "Y638LEG5M0JJRJH11673014299048M4DYPAX2DMV95Y"
}
]
}
]
},
{"correlation_rule_id": "CMJOAB1NRG3QXXRE167301429904803LM3OK65YA9F1",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50549 (DaTimeOut)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The digit analysis component in Unified CM has timed out.\nExplanation: The digit analysis component in Unified CM has timed out. This can occur because Unified CM is busy and the resulting delay in processing request and response messages caused the digit analysis component to time out.\nRecommended Action: In the Service Parameter Configuration window in Cisco Unified CM Administration, check the Cisco CallManager service parameter, Digit Analysis Timer, to confirm that the default value is in use. Use RTMT to monitor the system resources and correct any system issues that might be contributing to high CPU utilization on Unified CM.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "RUW2JOWOLU5R3QP51673014299048C5UGTO8RINO8JW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DaTimeOut)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CMJOAB1NRG3QXXRE167301429904803LM3OK65YA9F1"
}
]
},
{"rule_definition_id": "RX1SFCLM74MHBVJO1673014299048701TCBGWA2J12I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CMJOAB1NRG3QXXRE167301429904803LM3OK65YA9F1"
}
]
}
]
},
{"correlation_rule_id": "IMCVJUYWGIRARLJC1673014299048ASR3HPBWOSDMTW",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50550 (MaxCallDurationTimeout)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Maximum call duration timer has expired.\nExplanation: An active call was cleared because the amount of time specified in the Maximum Call Duration Timer service parameter has elapsed. If the allowed call duration is too short, you can increase the value. If you do not want a limit on the duration of an active call, you can disable the limit. If the duration is correct but you did not expect a call to ever exceed that duration, check the trace information around the time that this alarm occurred to try to determine if a gateway port had failed to release a call.\nRecommended Action: If the duration of the call is too short, increase the value in the Cisco CallManager service parameter or disable the maximum duration by setting the Maximum Call Duration Timer parameter to zero. If you suspect a hung gateway port, check the trace files around the time that this alarm occurred to search for the gateway that was involved in the call, then check the status of that gateway to determine if all ports are functioning normally.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "N9FBK3RCTG1JW0JM1673014299048IWG7A01KAGBS7L",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MaxCallDurationTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "IMCVJUYWGIRARLJC1673014299048ASR3HPBWOSDMTW"
}
]
},
{"rule_definition_id": "XSRKGNG73AP4JQW31673014299048V0HW63SPFXB2AY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "IMCVJUYWGIRARLJC1673014299048ASR3HPBWOSDMTW"
}
]
}
]
},
{"correlation_rule_id": "CI4IFMVG07FUNM1X1673014299048XCOHJWPI3EP7EC",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50551 (MaxHoldDurationTimeout)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Maximum Hold Duration Timer expired.\nExplanation: A held call was cleared because the amount of time specified in the Maximum Hold Duration Timer service parameter has elapsed. If the allowed call-on-hold duration is too short, you can increase the value. If you do not want a limit on the duration of a held call, you can disable the limit.\nRecommended Action: If the duration of the hold time is too short, increase the value in the Cisco CallManager service parameter or disable the maximum duration by setting the Maximum Hold Duration Timer parameter to zero.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "HFYVNRDPFQE71R4A1673014299048UEMIRR3DKUMCXW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MaxHoldDurationTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CI4IFMVG07FUNM1X1673014299048XCOHJWPI3EP7EC"
}
]
},
{"rule_definition_id": "PGX0S82TCOM7DARV16730142990486GA7AB26IVRXQE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CI4IFMVG07FUNM1X1673014299048XCOHJWPI3EP7EC"
}
]
}
]
},
{"correlation_rule_id": "Q5QEGD2W6DVW2ODI1673014299048S1ESKB9MONQXJJ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50552 (TimerThreadSlowed)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Timer thread has slowed beyond acceptable limits.\nExplanation: Verification of the Unified CM internal timing mechanism has slowed beyond acceptable limits. This generally indicates an increased load on the system or an internal anomaly.\nRecommended Action: If this alarm occurs at the same general day or time, or if it occurs with increasing frequency, collect all system performance data in Real-Time Monitoring Tool as well as all trace information for the 30 minutes prior to the time that this alarm occurred and contact the Cisco Technical Assistance Center (TAC).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "DB1WHI5NCEFQD39N16730142990485PC5TCCLP3YW9O",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(TimerThreadSlowed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "Q5QEGD2W6DVW2ODI1673014299048S1ESKB9MONQXJJ"
}
]
},
{"rule_definition_id": "THOA6UKQUDUW39321673014299048USO82OFHU53FJU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "Q5QEGD2W6DVW2ODI1673014299048S1ESKB9MONQXJJ"
}
]
}
]
},
{"correlation_rule_id": "QY76OTEUIBL2T9GN1673014299048VV11VAEAC8O878",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50553 (DatabaseDefaultsRead)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Database default information was read successfully.\nExplanation: Database default information was read successfully; this alarm will be removed in Unified CM release 10.0(0).\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "D021M6Q1J8KJS7OM1673014299048MNJHW6EP3L0QGK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DatabaseDefaultsRead)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QY76OTEUIBL2T9GN1673014299048VV11VAEAC8O878"
}
]
},
{"rule_definition_id": "FWN2IEKFARL9HCMY1673014299048QMR7R9ENQSLB7W",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QY76OTEUIBL2T9GN1673014299048VV11VAEAC8O878"
}
]
}
]
},
{"correlation_rule_id": "EKRNK68TLM93N6JP1673014299048KTT6BKGCXKS3X3",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50554 (DeviceInitTimeout)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Device initialization timed out due to internal error.\nExplanation: A device initialization timeout occurred because the device did not respond to an initialize request. If this alarm occurs in tandem with a configuration change, this may not indicate a problem unless this alarm recurs.\nRecommended Action: If you are making a configuration change around the time that this alarm occurred, determine whether the problem still exists by calling the phone or placing a call through the trunk or gateway. If the call fails, reset the device. If the alarm recurs after resetting the device, review the System Reports provided in the Cisco Unified Reporting tool, specifically the Unified CM Database Status report, for any anomalous activity. You can also go to Real-Time Reporting Tool (RTMT) and check the Replication Status in the Database Summary page. If status shows 2, then replication is working. Check network connectivity to the server that is running the database.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "MRSQ6H1OQW33NV7016730142990486ND0X0BQQSBUEN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceInitTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "EKRNK68TLM93N6JP1673014299048KTT6BKGCXKS3X3"
}
]
},
{"rule_definition_id": "IP40CQSLGW9KX50V16730142990483X3BAUXRC2GDHL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EKRNK68TLM93N6JP1673014299048KTT6BKGCXKS3X3"
}
]
}
]
},
{"correlation_rule_id": "S3KG084D1KFNK3CT16730142990486KS03LVC1CO0F4",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50555 (NumDevRegExceeded)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The allowed number of registered devices has been exceeded.\nExplanation: The allowed number of registered devices, as controlled by the Cisco CallManager service parameter Maximum Number of Registered Devices, has been exceeded.\nRecommended Action: If you did not expect to exceed the number of devices and you have auto-registration enabled, go to Device > Phones in Cisco Unified CM Administration and search for phones starting with \"auto\". If you see any unexpected devices which may not belong in the system (such as intruder devices) locate that device using it's IP address and remove it from the system. Or, if your licenses and system resources allow, increase the value in the Cisco CallManager service parameter, Maximum Number of Registered Devices.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "KCNJDTJDL26HV03X1673014299049DXDUHKQ8KO4RU1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(NumDevRegExceeded)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "S3KG084D1KFNK3CT16730142990486KS03LVC1CO0F4"
}
]
},
{"rule_definition_id": "NJ4GJL37SP7721XG1673014299049XEHH7G4RTYSAD2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "S3KG084D1KFNK3CT16730142990486KS03LVC1CO0F4"
}
]
}
]
},
{"correlation_rule_id": "XX51VDXS4R0A3P571673014299049KF3ECU5AMVSIQC",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50556 (CallManagerOnline)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Cisco CallManager service is online.\nExplanation: The Cisco CallManager service has completed initialization and is online.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "SFVV69JCTF1Q3W9S1673014299049K0X3OCNPPXKCF4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallManagerOnline)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XX51VDXS4R0A3P571673014299049KF3ECU5AMVSIQC"
}
]
},
{"rule_definition_id": "AMMT40IFVBSW9FJ3167301429904959BRYJLS4K01PA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XX51VDXS4R0A3P571673014299049KF3ECU5AMVSIQC"
}
]
}
]
},
{"correlation_rule_id": "LY3XRE8MPTEPV7MC1673014299049L1P0VXINUJI555",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50557 (OutOfRangeMohAudioSource)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Music On Hold Audio Source ID is invalid.\nExplanation: This alarm occurs when Music On Hold fails because the MOH audio source ID requested is not within the valid range of 1 - (Maximum value parameter in this alarm). The caller will hear Tone-on-Hold instead of the desired Music on Hold audio.\nRecommended Action: If the MOH audio source ID was provided as part of the MOH Audio Source override header (\"X-cisco-moh-source: #,#\") from an incoming SIP Trunk Call then the value must be corrected at the source of this header. Otherwise, check the values for the MOH audio source in the Call Manager service parameter settings or possibly other configuration settings related to the party that initiated the hold.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "V03IAJF799KHDKL51673014299049DHV1AJEERYLUMB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(OutOfRangeMohAudioSource)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LY3XRE8MPTEPV7MC1673014299049L1P0VXINUJI555"
}
]
},
{"rule_definition_id": "HEC0WEVTF6W8B66C1673014299049GJYAGMRH6BOLXE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LY3XRE8MPTEPV7MC1673014299049L1P0VXINUJI555"
}
]
}
]
},
{"correlation_rule_id": "VF5A25LK6IHH9G2M1673014299049MSG1ERS5X19PWA",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50558 (UnprovisionedMohAudioSource)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Music On Hold Audio Source ID is not provisioned.\nExplanation: This alarm occurs when Music On Hold fails because the MOH audio source ID requested has not been provisioned by associating the ID# to an audio source file. The caller will hear Tone-on-Hold instead of the desired Music on Hold audio.\nRecommended Action: Check the Music On Hold Audio Source list within CUCM Administration to ensure it has been assigned (provisioned) to an audio wav file or if ID# 51 is being used that the MOH Fixed Audio source has been enabled. Note that audio files must be uploaded using the CUCM Administration page of each MOH server in the cluster before that server can play the audio file.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "AB2G546KAHSQRASK16730142990499JKLR6RPHXRT7U",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(UnprovisionedMohAudioSource)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "VF5A25LK6IHH9G2M1673014299049MSG1ERS5X19PWA"
}
]
},
{"rule_definition_id": "MYSD17C4WVR1S00C1673014299049913W6CPS762HJP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "VF5A25LK6IHH9G2M1673014299049MSG1ERS5X19PWA"
}
]
}
]
},
{"correlation_rule_id": "WIT24L3MWIWMG2AU1673014299049EKOQI9KVCLE8SN",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50559 (BuiltInBridgeNoMoreResourcesAvailable)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "BuiltInBridge resource allocation failed.\nExplanation: Built In Bridge resource allocation failed for one/more of the reasons --> 1)The device is not able to support built in conference 2)The built in resource of the device is already in use by another feature or application.\nRecommended Action: Check to be sure that device involved in the call has the Built In Bridge resource and it is enabled. Consider install additional Built in Bridge resources",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "LGGJQD50AILIU6I01673014299049TJXVY1LSPP4O08",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(BuiltInBridgeNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WIT24L3MWIWMG2AU1673014299049EKOQI9KVCLE8SN"
}
]
},
{"rule_definition_id": "JOBLLFB1MX71KP0E167301429904936IOJ9WDFT2KF9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WIT24L3MWIWMG2AU1673014299049EKOQI9KVCLE8SN"
}
]
}
]
},
{"correlation_rule_id": "NBVKFMT8WIFEYRT81673014299049953VCOWHG3LPC9",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50560 (MtpNoMoreResourcesAvailable)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "MTP or transcoder allocation failed.\nExplanation: The alarm occurs when allocation of a media termination point (MTP) or transcoder fails for all the registered MTPs or transcoders belonging to the Media Resource Group List and Default List. Each MTP or transcoder may fail for different reasons. Following are some of the reasons that could cause an MTP or transcoder allocation to fail: a capability mismatch between the device endpoint and MTP/transcoder, codec mismatch between the endpoint and the MTP/transcoder; a lack of available bandwidth between the endpoint and the MTP/transcoder; or because the MTP/transcoders resources are already in use. A capability mismatch may be due to the MTP/transcoder not supporting one or more of the required capabilities for the call such as Transfer Relay Point (which is needed for QoS or firewall traversal), RFC 2833 DTMF (which is necessary when one side of the call does not support RFC 2833 format for transmitting DTMF digits and the other side must receive the DTMF digits in RFC 2833 format, resulting in conversion of the DTMF digits), RFC 2833 DTMF passthrough (in this case, the MTP or transcoder does not need to convert the DTMF digits from one format to another format but it needs to receive DTMF digits from one endpoint and transmit them to the other endpoint without performing any modifications), passthrough (where no codec conversion will occur, meaning the media device will receive media streams in any codec format and transmit them to the other side without performing any codec conversion), IPv4 to IPv6 conversion (when one side of the call supports only IPv4 and the other side of the call supports only IPv6 and so an MTP needs to be inserted to perform the necessary conversion between IPv4 and IPv6 packets), or multimedia capability (if a call involving video and/or data in addition to audio requires insertion of an MTP or transcoder then the MTP/transcoder which supports multimedia will be inserted).\nRecommended Action: If the MTP or transcoder allocation is failing due to a capability mismatch, it's possible that the media device does not support the capability (such as IPv4 to IPv6 conversion, passthrough) or the capability might not be configured in the device. Please check the user guide and documentation of the media device to make sure that device supports all the necessary capabilities. Also, caution should be taken if all the MTP or transcoders are configured with all the supported capabilities. There are certain capabilities (such as RFC 2833 DTMF or RFC 2833 DTMF passthrough or passthrough) which could be supported by most of the MTPs or transcoders and there may be certain capabilities (such as IPv4 to IPv6 conversion and vice versa or Transfer Relay Point or multimedia capability) which can be supported by only by a single MTP or transcoder depending on the devices that you have. For example, you may have IP phones that support only IPv4 protocol and there may also be IP phones that support only IPv6 protocol. To make a call between IPv4-only and IPv6-only phones, you need to have an MTP configured to perform the conversion of IPv4 to IPv6 and vice versa. However, suppose all the MTPs or transcoders are configured with all the supported capabilities and only one MTP supports IPv4 to IPv6 conversion; if this MTP is configured with all the supported capabilities (which all the other MTPs or transcoders in the same MRGL or default MRGL also support) it may happen that this MTP can get allocated for Transfer Relay Point or RFC 2833 DTMF or RFC 2833 DTMF passthrough or passthrough instead. As a result, when the need arises for IPv4 to IPv6 conversion (which other MTPs or transcoders in the same MRGL or default MRGL do not support), all the resources of MTP may be in use and the IPv4 to IPv6 conversion may fail. To avoid this kind of problem, setting the priority of the media resources may be a good idea. This can be done only in the Media Resource Group List and not in the Default List of the media resources. In any Media Resource Group List all the Media Resource Groups have different priorities; during allocation the first Media Resource Group is always checked for availability of the requested type of the media devices. The first Media Resource Group in the Media Resource Group List will have the highest priority, then the second one, and so on. To check all the Media Resource Groups and their priority go the Media Resources and Media Resource Group List of Cisco Unified CM Administration page and click the appropriate Media Resource Group List and check the Selected Media Resource Groups; the priority decreases from top to bottom. So, the MTP or transcoder that you want to be selected for the most basic functionalities should be positioned in the higher priority Media Resource Groups whereas the ones with more rare functionality should be positioned in the Media Resource Groups with lower priority. MTP/transcoder allocation may fail due to codec mismatch between the endpoint and the MTP/transcoder. A solution may be to configure the MTP/transcoder with all the supported codecs (as specified in the user guide of the MTP/transcoder), but be aware that doing so might result in too much bandwidth being allocated for calls. You'll need to weigh different factors such as the total amount of available bandwidth, the average number of calls, approximate bandwidth use per call (not involving MTP/transcoder), and so on, and accordingly calculate the maximum bandwidth that can be allocated per call involving an MTP/transcoder and take that into consideration when configuring the supported codecs in the MTPs and transcoders. It's a good idea to configure the media devices with all the supported codecs and set the region bandwidths to restrict too much bandwidth usage (refer to the Unified CM documentation for details on region and location settings). Also, there may be a codec mismatch between the endpoint and the MTP/transcoders after considering the region bandwidth between the MTP/transcoder and the endpoint. Increasing the region bandwidth may be a solution to the problem, but again, that decision should be made after careful consideration of the amount of bandwidth you're willing to allocate per call between the set of regions. Another possible cause that an MTP/transcoder did not get allocated is because there was not enough available bandwidth for the call. This can happen if the MTP/transcoder and endpoint belong to different locations and the bandwidth that is set between the locations is already in use by other calls. Examine the bandwidth requirements in your deployment to determine whether bandwidth between the locations can be increased. However, please note that increasing the bandwidth between these two locations means that you may need to reduce the bandwidth between other locations. Refer to the System Guide, SRNDs, and related Unified CM documentation for more details. Be aware that reducing the bandwidth or removing the higher bandwidth codecs from configuration may result in poor voice quality during call. Consider increasing the total amount of network bandwidth available. Finally, if MTP or transcoder allocation fails due to capability mismatch or all the resources being in use, consider installing additional MTP or transcoder devices.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "H7TS1OAH04998SHR1673014299049O0XAOPJL5L8BHJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MtpNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "NBVKFMT8WIFEYRT81673014299049953VCOWHG3LPC9"
}
]
},
{"rule_definition_id": "GR702BB5W9697AMH1673014299049NRELXIDSNQM6LO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NBVKFMT8WIFEYRT81673014299049953VCOWHG3LPC9"
}
]
}
]
},
{"correlation_rule_id": "EOOKI7Q12GMY2V9C1673014299049B77T7S2RJGN61C",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50561 (MohNoMoreResourcesAvailable)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "MOH resource allocation failed.\nExplanation: This alarm occurs when allocation of Music On Hold fails for all the registered MOH servers belonging to the Media Resource Group List and Default List. Each MOH server may fail for different reasons. Following are some of the reasons that could cause an MOH server allocation to fail: All the resources of MOH server are already in use; No matching codecs or capability mismatch between the held party and MOH server; Not enough bandwidth between the held party and MOH source; No audio stream available for the MOH server.\nRecommended Action: If all the resources of the MOH servers are already in use, check to be sure that all the MOH servers that belong to the Media Resource Groups of the indicated Media Resource Group List and Default List are configured and registered in all the applicable Unified CM nodes. To check the registration status go to the Media Resources > Music On Hold Server menu and click the Find button. It will display all the MOH servers with their status, device pool, and so on. Check the status field to discover whether it is registered with Unified CM. Note that the display on the status field is not a confirmation that the device is registered to Unified CM. It may happen in a Unified CM cluster that the Publisher can only write to the Unified CM database and the Publisher goes down. Because the Subscriber may not be able to write to the database, the devices may still display as registered in Unified CM Administration after they are actually unregistered. However, if the Publisher is down that should generate another alarm with higher priority than this alarm. The MOH allocation can also fail due to codec mismatch or capability mismatch between the endpoint and the MOH server. If there is a codec mismatch or capability mismatch (such as the endpoint using IPv6 addressing but MOH server supporting only IPv4), an MTP or transcoder should be allocated. If the MTP or transcoder is not allocated, either MediaResourceListExhausted (with Media Resource Type as media termination point or transcoder) or MtpNoMoreResourcesAvailable alarm will be generated for the same Media Resource Group List and you should first concentrate on that alarm. The MOH allocation may even fail after checking the region bandwidth between the regions to which the held party belongs and the region to which the MOH server belongs. Increasing the region bandwidth may be a solution to the problem, but that decision should be made after careful consideration of the amount of bandwidth you're willing to allocate per call between the set of regions. You'll need to weigh different factors such as the total amount of available bandwidth, the average number of calls, the average number of calls using the MOH servers, approximate bandwidth use per call, and so on, and accordingly calculate the region bandwidth. Another possible cause is that the bandwidth needed for the call may not be available. This can occur if the MOH server and endpoint belong to different locations and the bandwidth that is set between the locations is already in use by other calls. Examine the bandwidth requirements in your deployment to determine whether bandwidth between the locations can be increased. However, please note that increasing the bandwidth between these two locations means that you may need to reduce the bandwidth between other locations. Refer to the System Guide, SRNDs, and related Unified CM documentation for more details. Be aware that reducing the bandwidth or removing the higher bandwidth codecs from configuration may result in poor voice quality during call. Consider increasing the total amount of network bandwidth. Another reason for the MOH allocation failure may be due to meeting the maximum number of unicast or multicast streams supported by the MOH server. If all available streams are already in use, none can be allocated. Finally, check the Music On Hold Audio Source Configuration window in Cisco Unified CM Administration to confirm that at least one audio source is configured. If an audio source is not configured, upload an audio file and then configure the audio source in Cisco Unified CM Administration (refer to the Music On Hold configuration documentation for specific details).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "JU25XP2B4VM2H58U1673014299049SYW0UJWJR1AV3V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MohNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "EOOKI7Q12GMY2V9C1673014299049B77T7S2RJGN61C"
}
]
},
{"rule_definition_id": "IGI9RIRV7H3SFJM316730142990498MP433YHQ875CG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EOOKI7Q12GMY2V9C1673014299049B77T7S2RJGN61C"
}
]
}
]
},
{"correlation_rule_id": "CM6ESG5ASICUGS8F1673014299049TUL6O24A2KGO3M",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50562 (ConferenceNoMoreResourcesAvailable)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Conference resource allocation failed.\nExplanation: Conference resource allocation failed for one or more of the following reasons: The required number of conference resources were not available; For an IOS-based conference bridge, the number of participants to be added to the conference bridge exceeded the maximum number of participants allowed per conference; No lower precedence conference was available for preemption although MLPP preemption was enabled; A lower-precedence conference bridge was not preempted.\nRecommended Action: For IOS-based conference bridges, make sure that the maximum number of participants configured in a conference bridge does not exceed the number of participants allowed per conference; please check the IOS-based conference bridge user manual for limitations on the number of participants. Also, be sure to educate end users about the maximum number of participants allowed. For IOS-based and non-IOS-based, consider installing additional conference resources.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "SJF9CSKTE57P16MH1673014299049WL1ILONKACRMK7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConferenceNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CM6ESG5ASICUGS8F1673014299049TUL6O24A2KGO3M"
}
]
},
{"rule_definition_id": "KMUTXGYKGL0EVQHR1673014299049FWGO4YVAX1EQGX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CM6ESG5ASICUGS8F1673014299049TUL6O24A2KGO3M"
}
]
}
]
},
{"correlation_rule_id": "ASPH1JIB1URE3TGI167301429904906HRWFLLB9TXLY",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50563 (AnnunciatorNoMoreResourcesAvailable)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Annunciator resource allocation failed.\nExplanation: Annunciator resource allocation failed for one or more of the following reasons: All Annunciator resources are already in use; There was a codec or capability mismatch (such as the endpoint using one type of IP addressing such as IPv6, while the Annunciator supports only IPv4) between the endpoint and the Annunciator resource; Not enough bandwidth existed between the endpoint and the Annunciator.\nRecommended Action: If all the resources of the Annunciator are already in use, check to be sure that all the Annunciators that belong to the Media Resource Groups of the indicated Media Resource Group List and Default List are configured and registered in all the applicable Unified CM nodes of the cluster. To check the registration status go to Media Resources > Annunciator and click the Find button. It will display all the Annunciators with their status, device pool, and so on. Check the status field to see whether it is registered with Unified CM. Note that the display on the status field is not a confirmation that the device is registered to Unified CM. It may happen in a Unified CM cluster that the Publisher can only write to the Unified CM database before the Publisher goes down. Because the Subscriber may not be able to write to the database, the devices may still display registered in Unified CM Administration after they are actually unregistered. However, if the Publisher is down that should generate another alarm with higher priority than this alarm. The Annunciator allocation can fail due to codec mismatch or capability mismatch between the endpoint and the Annunciator. If there is a codec mismatch or capability mismatch (such as the endpoint using IPv6 addressing but Annunciator supporting only IPv4), an MTP or transcoder should be allocated. If the MTP or transcoder is not allocated, either MediaResourceListExhausted (with Media Resource Type as media termination point or transcoder) or MtpNoMoreResourcesAvailable alarm will be generated for the same Media Resource Group List and you should first concentrate on that. The Annunciator allocation may even fail after checking the region bandwidth between the regions to which the held party belongs and the region to which the Annunciator belongs. Increasing the region bandwidth may be a solution to the problem, but that decision should be made after careful consideration of the amount of bandwidth you're willing to allocate per call between the set of regions. You'll need to weigh different factors such as the total amount of available bandwidth, the average number of calls, the average number of calls using the Annunciator, approximate bandwidth use per call, and so on, and accordingly calculate the region bandwidth. Another possible cause is that the bandwidth needed for the call may not be available. This can happen if the Annunciator and endpoint belong to different locations and the bandwidth that is set between the locations is already in use by other calls. Examine the bandwidth requirements in your deployment to determine whether bandwidth between the locations can be increased. However, note that increasing the bandwidth between these two locations means that you may need to reduce the bandwidth between other locations. Refer to the System Guide, SRNDs, and related Unified CM documentation for more details. Be aware that reducing the bandwidth or removing the higher bandwidth codecs from configuration may result in poor voice quality during call. Consider increasing the total amount of network bandwidth.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "C6WFR4PU1X3I1TT616730142990491P737K9742WALJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(AnnunciatorNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "ASPH1JIB1URE3TGI167301429904906HRWFLLB9TXLY"
}
]
},
{"rule_definition_id": "TCIGIOIH7CAHKWF5167301429904992XVE73D6BJ0XY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "ASPH1JIB1URE3TGI167301429904906HRWFLLB9TXLY"
}
]
}
]
},
{"correlation_rule_id": "WY8G63PMPMYJ9TDG16730142990497OYRQ3L6K5EES7",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50564 (RsvpNoMoreResourcesAvailable)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "RSVP Agent resource allocation failed.\nExplanation: This alarm occurs when allocation of an RSVP Agent fails for all the registered RSVP Agents (RSVP Agents are basically MTPs or transcoder devices which provide RSVP functionalities) belonging to the Media Resource Group List and Default List. Each RSVP Agent may fail for different reasons. Following are some of the reasons that could cause an RSVP Agent allocation to fail: Available MTP/transcoders do not support RSVP functionality; A capability mismatch between the device endpoint and MTP/transcoder, Codec mismatch between the endpoint and the MTP/transcoder; A lack of available bandwidth between the endpoint and the MTP/transcoder; Or because the MTP/transcoder resources are already in use. A capability mismatch may be due to the MTP/transcoder not supporting one or more of the required capabilities for the call such as Transfer Relay Point (which is needed for QoS or firewall traversal), RFC 2833 DTMF (which is necessary when one side of the call does not support RFC 2833 format for transmitting DTMF digits and the other side must receive the DTMF digits in RFC 2833 format, resulting in conversion of the DTMF digits), RFC 2833 DTMF passthrough (in this case, the MTP or transcoder does not need to convert the DTMF digits from one format to another format but it needs to receive DTMF digits from one endpoint and transmit them to the other endpoint without performing any modifications), passthrough (where no codec conversion will occur, meaning the media device will receive media streams in any codec format and transmit them to the other side without performing any codec conversion), IPv4 to IPv6 conversion (when one side of the call supports only IPv4 and the other side of the call supports only IPv6 and so MTP needs to be inserted to perform the necessary conversion between IPv4 and IPv6 packets), or multimedia capability (if a call involving video and/or data in addition to audio requires insertion of an MTP or transcoder then the MTP/transcoder which supports multimedia will be inserted).\nRecommended Action: RSVP Agents are basically Cisco IOS MTPs or transcoder devices which provide RSVP functionalities. Check the user manual of the configured MTPs and transcoders to see whether they support RSVP functionality. If none of them support RSVP functionality either they need to be upgraded (if an upgraded version supports RSVP functionality) or additional MTP or transcoders need to be installed which support RSVP functionality. If the RSVP Agent (MTP or transcoder) allocation is failing due to a capability mismatch, it's possible that the media device does not support the requested capability (such as IPv4 to IPv6 conversion, passthrough) or the capability might not be configured in the device. Please check the user guide and documentation of the media device to make sure that device supports all the necessary capabilities. Also, caution should be taken if all the MTP or transcoders are configured with all the supported capabilities. There are certain capabilities (such as RFC 2833 DTMF or RFC 2833 DTMF passthrough or passthrough) which could be supported by most of the MTPs or transcoders and there may be certain capabilities (such as IPv4 to IPv6 conversion and vice versa or RSVP Agent functionality or Transfer Relay Point or multimedia capability) which can be supported by only by a single MTP or transcoder depending on the devices that you have. For example, you may have end devices belonging to different locations and may need to reserve the bandwidth only between two locations; calls between other locations may not need to reserve the bandwidth. Now, suppose all the MTPs or transcoders are configured with all the supported capabilities and only one MTP/transcoder supports RSVP functionality; if this MTP/transcoder is configured with all the supported capabilities (which all the other MTPs or transcoders in the same MRGL or default MRGL also support) it may happen that this MTP can get allocated for Transfer Relay Point or RFC 2833 DTMF or RFC 2833 DTMF passthrough or passthrough instead. As a result, when a need arises to reserve the bandwidth (which other MTPs or transcoders in the same MRGL or default MRGL do not support), all the resources of this MTP/transcoder may be in use and the RSVP Agent allocation may fail. To avoid this situation, set the priority of the media resources appropriately. This can only be done in the Media Resource Group List and not in the Default List of the media resources. In any Media Resource Group List all the Media Resource Groups have different priorities and during allocation the first Media Resource Group is checked for availability of the requested type of the media devices. The first Media Resource Group in the Media Resource Group List will have the highest priority, then the second one and so on. To check all the Media Resource Groups and their priority go the Media Resources and Media Resource Group List in Cisco Unified CM Administration and click the appropriate Media Resource Group List, then check the Selected Media Resource Groups; the priority decreases from top to bottom. Position the MTP or transcoder that you want to be selected for the basic functionalities in the higher priority Media Resource Groups whereas the ones with more rare functionality can be positioned in the Media Resource Groups with lower priority. RSVP Agent allocation may fail due to codec mismatch between the endpoint and the RSVP Agent or MTP/transcoder. A solution may be to configure the MTP/transcoder with all the supported codecs (as specified in the user guide of the MTP/transcoder), but be aware that doing so might result in too much bandwidth being allocated for calls. You'll need to weigh different factors such as the total amount of available bandwidth, the average number of calls, approximate bandwidth use per call (not involving MTP/transcoder), and so on, and accordingly calculate the maximum bandwidth that can be allocated per call involving an MTP/transcoder and take that into consideration when configuring the supported codecs in the MTPs and transcoders. A good idea is to configure the media devices with all the supported codecs and set the region bandwidths to restrict too much bandwidth usage (refer to the Unified CM documentation for details on region and location settings). Also, there may be a codec mismatch between the endpoint and the MTP/transcoders after considering the region bandwidth between the MTP/transcoder and the endpoint. Increasing the region bandwidth may be a solution to the problem, but that decision should be made after careful consideration of the amount of bandwidth you're willing to allocate per call between the set of regions. Another possible cause that an MTP/transcoder did not get allocated is because there was not enough available bandwidth for the call. This can happen if the MTP/transcoder and endpoint belong to different locations and the bandwidth that is set between the locations is already in use by other calls. Examine the bandwidth requirements in your deployment to determine whether bandwidth between the locations can be increased. However, note that increasing the bandwidth between these two locations means that you may need to reduce the bandwidth between other locations. Refer to the System Guide, SRNDs, and related Unified CM documentation for more details. Be aware that reducing the bandwidth or removing the higher bandwidth codecs from configuration may result in poor voice quality during call. Consider increasing the total amount of network bandwidth. Finally, if RSVP Agent allocation fails due to MTP/transcoder not supporting RSVP functionality or capability mismatch or all the resources being in use, consider installing additional MTP or transcoder devices which support RSVP functionality.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "GA3MRR0SB7Y7G2ES167301429904954K5YAWJL18YBJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RsvpNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WY8G63PMPMYJ9TDG16730142990497OYRQ3L6K5EES7"
}
]
},
{"rule_definition_id": "FJBO4DLP0TOD4SKT1673014299049DSDW6K8H39A68S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WY8G63PMPMYJ9TDG16730142990497OYRQ3L6K5EES7"
}
]
}
]
},
{"correlation_rule_id": "H2AORH8UJ4V4JB391673014299049QNY7E0RI76849I",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50565 (MaxCallsReached)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Maximum calls of simultaneous calls in this node has been reached.\nExplanation: The maximum number of simultaneous connections in a Unified CM node has been reached. This is an internally-set value and when it is exceeded, Unified CM starts throttling calls to keep the number of calls below the internal threshold.\nRecommended Action: In the Real-Time Monitoring Tool, check the CallsActive counter in the Cisco CallManager object for an unusually high number of calls. Internal mechanisms will attempt to correct this condition. If this alarm continues to occur, collect existing SDL and CCM trace files and check to be sure that CM Services trace collection in Cisco Unified CM Serviceability is set to Detailed level.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "OTSP8CSVALQJ3C2O1673014299049DY0UKD3793VO7A",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MaxCallsReached)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "H2AORH8UJ4V4JB391673014299049QNY7E0RI76849I"
}
]
},
{"rule_definition_id": "KY27LJNHWHWTRV0K167301429904901L0KYYW0IEGL4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "H2AORH8UJ4V4JB391673014299049QNY7E0RI76849I"
}
]
}
]
},
{"correlation_rule_id": "XY1LO7TTRNA0RQ9R1673014299049VEXJNO7MEFQVR7",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50566 (DBLException)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "An error occurred while performing database activities.\nExplanation: A severe database layer interface error occurred. Possible causes for this include the database being unreachable or down or a DNS error.\nRecommended Action: Review the System Reports provided in the Cisco Unified Reporting tool, specifically the Unified CM Database Status report, for any anomalous activity. You can also go to Real-Time Reporting Tool (RTMT) and check the Replication Status in the Database Summary page. If status shows 2, then replication is working. Check network connectivity to the server that is running the database. If your system uses DNS, check the DNS configuration for any errors. If the cause is still not identified, collect SDL and SDI traces and contact the Cisco Technical Assistance Center (TAC).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "K7JTU2V9HFXDV7GV1673014299049AE4AHXN2QOE85L",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DBLException)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XY1LO7TTRNA0RQ9R1673014299049VEXJNO7MEFQVR7"
}
]
},
{"rule_definition_id": "UVXDPTCMIAIQLT2X1673014299049YDTGX31N9RAV0E",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XY1LO7TTRNA0RQ9R1673014299049VEXJNO7MEFQVR7"
}
]
}
]
},
{"correlation_rule_id": "TAFQ8NWVAWU0BFC31673014299049DRQ9DHQQ22WDJ3",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50567 (ICTCallThrottlingStart)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM stops handling calls for the indicated H.323 device due to heavy traffic or a route loop over the H.323 trunk.\nExplanation: Unified CM has detected a route loop over the H.323 trunk indicated in this alarm. As a result, Unified CM has temporarily stopped accepting calls for the indicated H.323 trunk. It's also possible that a high volume of calls are occurring over the intercluster trunk, which has triggered throttling.\nRecommended Action: In Real-Time Monitoring Tool, check the CallsActive and CallsInProgress counters for unusual activity on the indicated H.323 trunk. If the CallsActive count is significantly higher than usual, a traffic load issue may be occurring where the demand to send calls over the trunk is greater than the trunk's capacity. Monitor the situation and collect existing trace files. If the ICTCallThrottlingEnd alarm is not issued in a reasonable amount of time as deemed by your organization, contact the Cisco Technical Assistance Center (TAC) and supply the trace information you have collected. For a routing loop condition, the CallsInProgress counter will be significantly higher than usual. By examining trace files and CDR data for calls that occurred over the indicated trunk, you may be able to detect a translation pattern, route list or other routing mechanism that is part of the loop. Update the routing mechanism that resulted in the loop (generally the same number is configured on both near end and far end devices) and then reset the affected route list in an attempt to clear the route loop and if that fails, reset the affected trunk.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "CNXC0YBMRHTM0UO71673014299049MIC6RFKHNTEE08",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ICTCallThrottlingStart)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "TAFQ8NWVAWU0BFC31673014299049DRQ9DHQQ22WDJ3"
}
]
},
{"rule_definition_id": "XLSOGJGDH3MHGEPC1673014299049KASA8UR41VL6FX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "TAFQ8NWVAWU0BFC31673014299049DRQ9DHQQ22WDJ3"
}
]
}
]
},
{"correlation_rule_id": "O1F4S4B2AGOP3OUC1673014299049ULR9QJ3HFTA157",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50568 (ICTCallThrottlingEnd)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM starts handling calls again for the indicated H.323 device.\nExplanation: Unified CM has ceased throttling calls on the indicated H.323 device.\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "VFE2E16D3UAM4U8V1673014299049A4UQT3ASF78Q3H",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ICTCallThrottlingEnd)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "O1F4S4B2AGOP3OUC1673014299049ULR9QJ3HFTA157"
}
]
},
{"rule_definition_id": "YHW6WG3EA1P6SW811673014299049CYRMG9NUK1SFB7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "O1F4S4B2AGOP3OUC1673014299049ULR9QJ3HFTA157"
}
]
}
]
},
{"correlation_rule_id": "UPOK0K7IJHIN3VA31673014299049YOOE06D5IA2XLO",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50569 (CodeYellowEntry)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has entered Code Yellow state.\nExplanation: Unified CM has initiated call throttling due to unacceptably high delay in handling incoming calls.\nRecommended Action: Memory problems or high CPU usage are generally at the root of a Code Yellow condition. A bad disk could also be the cause. Also, trace level settings can consume tremendous amounts of CPU (especially when the Enable SDL TCP Event Trace checkbox is enabled on the SDL Trace Configuration window in Cisco Unified Serviceability). Use RTMT to check for memory leaks, causes of any CPU spikes, and determine whether the server has sufficient memory for the tasks expected of this server. Run server diagnostics to determine if the disk is bad, and examine/reconfigure the SDL trace settings in Unified Serviceability to ensure that trace settings are not contributing to Code Yellow. You can determine the level of fragmentation on the hard disk by issuing the File Fragmentation command from the CLI for the trace directories. After taking one or more of these corrective actions, monitor the situation and collect existing trace files. If the CodeYellowExit alarm is not issued in a reasonable amount of time as deemed by your organization, or if the system is frequently triggering the CodeYellowEntry alarm, contact the Cisco Technical Assistance Center (TAC) and supply the trace information you have collected.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "XLYEHIM4AV248QJ71673014299049RC6ED0CQSMP5IV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CodeYellowEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "UPOK0K7IJHIN3VA31673014299049YOOE06D5IA2XLO"
}
]
},
{"rule_definition_id": "JAP676YFOS1SN3S21673014299049F0RHBRKXXL8T93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "UPOK0K7IJHIN3VA31673014299049YOOE06D5IA2XLO"
}
]
}
]
},
{"correlation_rule_id": "AVGVLXC79UFD9DH516730142990492CYFX9F4UGVAO6",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50570 (CodeYellowExit)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has exited Code Yellow.\nExplanation: Unified CM has ceased throttling calls and has exited the Code Yellow state.\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "YBSID1QMAFQ4NUNF1673014299049K3MRNF35W4WYWI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CodeYellowExit)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "AVGVLXC79UFD9DH516730142990492CYFX9F4UGVAO6"
}
]
},
{"rule_definition_id": "ULYG8DHKKM6E6QTI16730142990495BLD9FD7KTUD4N",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "AVGVLXC79UFD9DH516730142990492CYFX9F4UGVAO6"
}
]
}
]
},
{"correlation_rule_id": "EIFNRTUERT615GHS1673014299049P0HY5UB5SBPLF8",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50571 (CodeRedEntry)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has entered Code Red condition and will restart.\nExplanation: Unified CM has been in Code Yellow state for an extended period and is unlikely to recover on its own. The Cisco CallManager service automatically restarts in an attempt to clear the condition that is causing the Code Yellow state. The amount of time that the system will remain in Code Yellow state is configurable in the Code Yellow Duration service parameter. If the duration of this parameter is set to 99999, Code Red condition will never occur.\nRecommended Action: Make certain that you have attempted the steps in the recommended actions defined in the CodeYellowEntry alarm. If you have not, try those after the system is online. There is no other action for Code Red because the only action is to restart which occurs automatically.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "RVRAK39KISPC6CCM1673014299049XCXOEN8X4LWMYO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CodeRedEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "EIFNRTUERT615GHS1673014299049P0HY5UB5SBPLF8"
}
]
},
{"rule_definition_id": "IWRGH2BHAVU6028W1673014299049IV3NTLFVD96MFU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EIFNRTUERT615GHS1673014299049P0HY5UB5SBPLF8"
}
]
}
]
},
{"correlation_rule_id": "AW0M4ULOHC3DKSY716730142990490FAJDB4PH68LGL",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50572 (SignalCongestionEntry)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has detected signal congestion in an internal thread and has throttled activities for that thread.\nExplanation: Unified CM has initiated throttling for an internal thread due to unacceptably high delay in handling signals.\nRecommended Action: Memory problems or high CPU usage are generally at the root of signal congestion. A bad disk could also be the cause. Also, trace level settings can consume tremendous amounts of CPU (especially when the Enable SDL TCP Event Trace checkbox is enabled on the SDL Trace Configuration window in Cisco Unified Serviceability). Use RTMT to check for memory leaks, causes of any CPU spikes, and determine whether the server has sufficient memory for the tasks expected of this server. Run server diagnostics to determine if the disk is bad, and examine/reconfigure the SDL trace settings in Unified Serviceability to ensure that trace settings are not contributing to the signal congestion. You can determine the level of fragmentation on the hard disk by issuing the File Fragmentation command from the CLI for the trace directories. After taking one or more of these corrective actions, monitor the situation and collect existing trace files. If the SignalCongestionExit alarm is not issued in a reasonable amount of time as deemed by your organization, or if the system is frequently triggering the SignalCongestionEntry alarm, contact the Cisco Technical Assistance Center (TAC) and supply the trace information you have collected.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "CXFF5CM5Y9V88Y4B167301429904926LOW1PU6HICLN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SignalCongestionEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "AW0M4ULOHC3DKSY716730142990490FAJDB4PH68LGL"
}
]
},
{"rule_definition_id": "I11M8YQ9TFTYUBH116730142990493OAPRSN0DIDG9Y",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "AW0M4ULOHC3DKSY716730142990490FAJDB4PH68LGL"
}
]
}
]
},
{"correlation_rule_id": "HUBY1RTGO7TISDDS1673014299049ML1QQVQGY1D277",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50573 (SignalCongestionExit)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has exited throttling caused by a previous signal congestion condition.\nExplanation: Unified CM has exited the throttling state caused by signal congestion on a threaded process within Unified CM.\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "B6I12886FOLI9QD016730142990496X9JNBEU739MPC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SignalCongestionExit)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "HUBY1RTGO7TISDDS1673014299049ML1QQVQGY1D277"
}
]
},
{"rule_definition_id": "BMAIY2TJBJ5HE3GH1673014299049U89VGVEKJHJY5I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "HUBY1RTGO7TISDDS1673014299049ML1QQVQGY1D277"
}
]
}
]
},
{"correlation_rule_id": "IU11PJ84SSEEO4I8167301429904956X7K5CK5GMQTG",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50574 (MemoryThrottlingEntry)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has entered a memory throttling state; new call attempts are being rejected.\nExplanation: Unified CM has initiated call throttling due to unacceptably high memory usage.\nRecommended Action: High traffic usage is generally the root cause of a memory throttling condition. Evaluate the load balancing amongst the servers in your deployment to determine if additional nodes are needed to handle the traffic. If the MemoryThrottlingExit alarm is not issued in a reasonable amount of time as deemed by your organization, or if the system is frequently triggering the MemoryThrottlingEntry alarm, contact the Cisco Technical Assistance Center (TAC) for assistance.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "DFHGOHODX9SDVK0H1673014299049TRFQDNS2UEVN82",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MemoryThrottlingEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "IU11PJ84SSEEO4I8167301429904956X7K5CK5GMQTG"
}
]
},
{"rule_definition_id": "H5KILE4DAXIWM8VI1673014299049YWFHA1PE2USYK8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "IU11PJ84SSEEO4I8167301429904956X7K5CK5GMQTG"
}
]
}
]
},
{"correlation_rule_id": "QWYOQ9UFPJOC7Y3E16730142990499LTX2D5QX87EQN",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50575 (MemoryThrottlingExit)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has exited a memory throttling state.\nExplanation: Unified CM has ceased throttling calls and has exited the memory throttling state.\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "YQ41YEBOPLWXSJFU1673014299049T702AXPLSYORW8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MemoryThrottlingExit)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QWYOQ9UFPJOC7Y3E16730142990499LTX2D5QX87EQN"
}
]
},
{"rule_definition_id": "UFQU4XXOJM779F5A1673014299049IJIRC8JVHK7Y4O",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QWYOQ9UFPJOC7Y3E16730142990499LTX2D5QX87EQN"
}
]
}
]
},
{"correlation_rule_id": "XTAY5RED8S990O2G1673014299049R3114SWGYK7HM7",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50576 (DeviceCloseMaxEventsExceeded)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The TCP socket for the SCCP device has been closed due to excessive events in a 5-second period; under normal conditions, the device will reregister automatically.\nExplanation: The indicated SCCP device exceeded the maximum number of events allowed per-SCCP device. Events can be phone calls, KeepAlive messages, or excessive SCCP or non-SCCP messages. The maximum number of allowed events is controlled by the Cisco CallManager service parameter, Max Events Allowed. When an individual device exceeds the number configured in that service parameter, Unified CM closes the TCP connection to the device; automatic reregistration generally follows. This action is an attempt to stop malicious attacks on Unified CM or to ward off excessive CPU usage.\nRecommended Action: Check the CCM trace data for the indicated SCCP device to determine the reason for the high number of events. Confirm that the value configured in the Cisco CallManager service parameter, Max Events Allowed, is a suitable number for your deployment.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "GUD8262F9SU895O11673014299049O4II4VVGBO9KI6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceCloseMaxEventsExceeded)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XTAY5RED8S990O2G1673014299049R3114SWGYK7HM7"
}
]
},
{"rule_definition_id": "SJI7NR4LCEW2SDIN1673014299049PYXIV6LAE33T8C",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XTAY5RED8S990O2G1673014299049R3114SWGYK7HM7"
}
]
}
]
},
{"correlation_rule_id": "X9KYIP6B07S443F71673014299049R5QTEUXVPRM9EM",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50577 (MaliciousCall)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A malicious call has been identified.\nExplanation: A user presses the MCID softkey to alert you that the call indicated in this alarm contained disturbing content. This is not to indicate a voice quality issue on the call but to alert you to a potentially abusive or offensive occurrence involving the calling party device.\nRecommended Action: After a user presses the MCID softkey, the MCID service flags the call detail record (CDR) with the MCID notice and sends a notification to the PSTN that a malicious call is in progress. Take appropriate action as defined by your company policy regarding disturbing/abusive calls.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "ULAXVH58WPS05FDP1673014299049H3BJRNDSRGXTCT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MaliciousCall)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X9KYIP6B07S443F71673014299049R5QTEUXVPRM9EM"
}
]
},
{"rule_definition_id": "F05PNJHGFB4AEHD11673014299049VU600MUUKSLSQE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "X9KYIP6B07S443F71673014299049R5QTEUXVPRM9EM"
}
]
}
]
},
{"correlation_rule_id": "IUS9KH1TRO3Q7QVG1673014299049LY7AILRVN8AVLY",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50578 (BeginThrottlingCallListBLFSubscriptions)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has initiated throttling of CallList BLF subscriptions as a preventive measure to avoid overloading the system.\nExplanation: Unified CM has initiated throttling of Call List BLF subscriptions as a preventive measure to avoid overloading the system. This alarm occurs when the total number of active BLF subscriptions exceeds the configured limit set by the Presence Subscription Throttling Threshold service parameter.\nRecommended Action: Determine if CPU and memory resources are available to meet the higher demand for CallList BLF subscriptions. If so, increase the value in the Cisco CallManager service parameter Presence Subscription Throttling Threshold and correspondingly reduce the value in the Presence Subscription Resume Threshold service parameter. If you do not have sufficient CPU and memory resources to increase the throttling threshold value, evaluate a plan to increase system resources to meet the demand",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "C7RA75OCF687LML01673014299049GMYPGLJ1F70F9X",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(BeginThrottlingCallListBLFSubscriptions)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "IUS9KH1TRO3Q7QVG1673014299049LY7AILRVN8AVLY"
}
]
},
{"rule_definition_id": "BMV7ILB23GGC4KW61673014299049KRMVJ1ANKGPQB6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "IUS9KH1TRO3Q7QVG1673014299049LY7AILRVN8AVLY"
}
]
}
]
},
{"correlation_rule_id": "YKL7XMUOJO3TXNXA1673014299049W5UJ10GEC2K8XG",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50579 (EndThrottlingCallListBLFSubscriptions)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "EndThrottlingCallListBLFSubscriptions.\nExplanation: Unified CM has resumed accepting CallList BLF subscriptions subsequent to prior throttling.\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "S4WTU8S5HF1P1ADO1673014299049OWSRQ3TSDEFN17",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndThrottlingCallListBLFSubscriptions)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YKL7XMUOJO3TXNXA1673014299049W5UJ10GEC2K8XG"
}
]
},
{"rule_definition_id": "FTCAP2HKR7Q2FIUX1673014299049BFK7XV01GY0GXJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YKL7XMUOJO3TXNXA1673014299049W5UJ10GEC2K8XG"
}
]
}
]
},
{"correlation_rule_id": "LRWH4KCN643AKXVK1673014299049BL2HXBBWJTOJSC",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50580 (PktCapServiceStarted)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Packet capture service has started.\nExplanation: The packet capture feature has been enabled on the Unified CM server. A Cisco CallManager service parameter, Packet Capture Enable, must be set to True for packet capture to occur.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "AMBSNEQHED7RADSN1673014299049TV8YOH3DIH6YNB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PktCapServiceStarted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LRWH4KCN643AKXVK1673014299049BL2HXBBWJTOJSC"
}
]
},
{"rule_definition_id": "N4M33C74SY756P591673014299049RIU86A8LA90A6U",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LRWH4KCN643AKXVK1673014299049BL2HXBBWJTOJSC"
}
]
}
]
},
{"correlation_rule_id": "O7GJNPLTB21JNFXX1673014299049KMBRPI9CTL3FSH",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50581 (PktCapServiceStopped)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Packet capture service has stopped.\nExplanation: The packet capture feature has been disabled in Unified CM.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "RFLVO9WSIWLALC7E1673014299049KB50F4EAOY9MSP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PktCapServiceStopped)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "O7GJNPLTB21JNFXX1673014299049KMBRPI9CTL3FSH"
}
]
},
{"rule_definition_id": "Q0VGRR9QAFF5NUCG1673014299049WRJJBJI9KEECQ9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "O7GJNPLTB21JNFXX1673014299049KMBRPI9CTL3FSH"
}
]
}
]
},
{"correlation_rule_id": "YYOAMHSF5YQ6WFSO1673014299049I4AY3GWYL7VXMI",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50582 (PktCapOnDeviceStarted)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Packet capture has started on the device.\nExplanation: Packet capture has been enabled on the device indicated in this alarm.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "BLFKFG9T3JLTBFSA16730142990494CIF4KKXN2TKU2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PktCapOnDeviceStarted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YYOAMHSF5YQ6WFSO1673014299049I4AY3GWYL7VXMI"
}
]
},
{"rule_definition_id": "OGFLJV6OEWJJNUAU16730142990497DFIVEIO8JRBQA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YYOAMHSF5YQ6WFSO1673014299049I4AY3GWYL7VXMI"
}
]
}
]
},
{"correlation_rule_id": "TCI8VJAWNMJ9NQNO1673014299049QAFLT80BQBX2E9",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50583 (PktCapOnDeviceStopped)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Packet capture stopped on the device.\nExplanation: Packet capture has been disabled on the indicated device.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "W2QI3V2M6LTBLEWV1673014299049MA8M47LMTXU89S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PktCapOnDeviceStopped)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "TCI8VJAWNMJ9NQNO1673014299049QAFLT80BQBX2E9"
}
]
},
{"rule_definition_id": "SUX1GJPX58C20G7R1673014299049KTQBLQ9248W95I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "TCI8VJAWNMJ9NQNO1673014299049QAFLT80BQBX2E9"
}
]
}
]
},
{"correlation_rule_id": "Y3QTNO03UMLI1MC316730142990492T5ROO4TL0KLG3",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50584 (UserUserPrecedenceAlarm)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "User-to-User Precedence passing violation.\nExplanation: User-to-User IE was not successfully tunneled to destination; please refer to reason code for additional details.\nRecommended Action: Refer to the information (help text) in the reason code in this alarm for detailed actions.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "OTPGSTE0EIO73EF81673014299049GYKBV3UHBK3BQY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(UserUserPrecedenceAlarm)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "Y3QTNO03UMLI1MC316730142990492T5ROO4TL0KLG3"
}
]
},
{"rule_definition_id": "XFH0RJTXDIPD7UO71673014299049UY60NB8PVRAVO3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "Y3QTNO03UMLI1MC316730142990492T5ROO4TL0KLG3"
}
]
}
]
},
{"correlation_rule_id": "P9LSPNCW0AIO3H371673014299049RP3Y14L9AI7PHJ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50585 (MultipleSIPTrunksToSamePeerAndLocalPort)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "User-to-User Precedence passing violation.\nExplanation: A conflict occurred because multiple trunks have been configured to the same destination and local port.\nRecommended Action: Multiple trunks have been configured to the same destination and local port, which resulted in a conflict. Only one trunk is allowed for one destination/local port combination. The new trunk invalidated the old trunk.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "WJ6PWRAX8B35EI0Y1673014299049CP665CUXJJO1L8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MultipleSIPTrunksToSamePeerAndLocalPort)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P9LSPNCW0AIO3H371673014299049RP3Y14L9AI7PHJ"
}
]
},
{"rule_definition_id": "BC34XPX5D28FBBGD1673014299049YRXF3FWE6BI88F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P9LSPNCW0AIO3H371673014299049RP3Y14L9AI7PHJ"
}
]
}
]
},
{"correlation_rule_id": "LD32X6ISW9A9HW8L167301429904983TW0FXRVYLBPA",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50586 (NoFeatureLicense)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "No feature license found.\nExplanation: Unified CM requires a license to function. Also, Unified CM licenses are version-specific so be certain that the license is for the version you are trying to run. You can run a license unit report in Cisco Unified CM Administration (System > Licensing > License Unit Report).\nRecommended Action: Request license generation for Cisco Unified Communications Manager SW FEATURE for your version of Unified CM and upload the license in Cisco Unified CM Administration (System > Licensing > License File Upload).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "KMEHHQHRO48LWPU71673014299049EQB1XOGGIICT7V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(NoFeatureLicense)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LD32X6ISW9A9HW8L167301429904983TW0FXRVYLBPA"
}
]
},
{"rule_definition_id": "DW4KX9KGLMLDTMH31673014299049RXDDJ3O85LUIXO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LD32X6ISW9A9HW8L167301429904983TW0FXRVYLBPA"
}
]
}
]
},
{"correlation_rule_id": "P8FDA5FQHCBXQWMM16730142990495J2RB2DI0Y7LKD",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50587 (CMInitializationStateTime)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Indicates the amount of time it took for Unified CM to initialize each state in the initialization process.\nExplanation: Indicates the amount of time required to complete initialization for the specified state.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "C7OQAR7I7WOVFHT41673014299049IINMQUTGDRVUEN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CMInitializationStateTime)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P8FDA5FQHCBXQWMM16730142990495J2RB2DI0Y7LKD"
}
]
},
{"rule_definition_id": "VRCHSP9UN0P1VHDC16730142990499JVYCSBWTG4EPK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P8FDA5FQHCBXQWMM16730142990495J2RB2DI0Y7LKD"
}
]
}
]
},
{"correlation_rule_id": "G8S30J2FSCXX1QOQ16730142990490QM6KP6HUEAWU8",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50588 (CMTotalInitializationStateTime)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Total amount of time it took for Unified CM to complete initialization.\nExplanation: Indicates the amount of time required to complete the total system initialization.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "RVHCVPJQUF84RJQH1673014299049VB5QH7AB35KOUM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CMTotalInitializationStateTime)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "G8S30J2FSCXX1QOQ16730142990490QM6KP6HUEAWU8"
}
]
},
{"rule_definition_id": "AT0S6FYIRIT89XEO1673014299049K59GRQAYAD4IV3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "G8S30J2FSCXX1QOQ16730142990490QM6KP6HUEAWU8"
}
]
}
]
},
{"correlation_rule_id": "ER9CXM4QYPM73JMF1673014299049U9KU72371O59LD",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50589 (CMOverallInitTimeExceeded)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Initialization of the Unified CM system has taken longer than allowed by the System Initialization Timer service parameter; the system automatically restarts to attempt initialization again.\nExplanation: The required time to initialize Unified CM has exceeded the time allowed by the Cisco CallManager service parameter, System Initialization Timer; as a result, the system will automatically restart to attempt initialization again. Initialization may have failed due to an increase in system size, due a database error, due to a large amount of new devices added to the system, or any number of other potential causes.\nRecommended Action: Use RTMT to discover the number of devices and number of users in the system and evaluate whether the numbers seem accurate. Try increasing the value of the Cisco CallManager service parameter, System Initialization Timer, in the Service Parameters Configuration window in Cisco Unified CM Administration. If increasing the time in the System Initialization Timer service parameter does not correct this issue, contact the Cisco Technical Assistance Center (TAC).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "O64Y3HW4Y3SERJ7316730142990493KRVYWFG9YHKRT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CMOverallInitTimeExceeded)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "ER9CXM4QYPM73JMF1673014299049U9KU72371O59LD"
}
]
},
{"rule_definition_id": "MCNS72M81DCM2HIV1673014299049HS1XJJ30BBI6S1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "ER9CXM4QYPM73JMF1673014299049U9KU72371O59LD"
}
]
}
]
},
{"correlation_rule_id": "LWNLBCUBI9OUE2591673014299049NWYB2SIS68SMUR",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50590 (DigitAnalysisTimeoutAwaitingResponse)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM sent a routing request to the policy decision point but the request timed out without a response.\nExplanation: Unified CM was unable to complete the routing request before timing out. This timeout could occur due to low system resources, high CPU usage, or a high volume of call activities on this Unified CM node. Unified CM applies the Call Treatment on Failure that is configured for the External Call Control Profile associated with this call.\nRecommended Action: Check the External Call Control object in Real-Time Monitoring Tool (RTMT) to see whether the ExternalCallControlEnabledCallAttempted counter is spiking. A dramatic increase in that counter indicates an unusually high number of calls at this time which could result in reduced system resources. Check the QueueSignalsPresent2-Normal counter for persistent (long) high signal queue. If the long signal queue exists, check whether the Code Yellow alarm has already issued and check the system CPU and memory usage for this Unified CM node. Follow the recommended actions for Code Yellow alarm if the Code Yellow alarm has fired. For high CPU usage, use RTMT to determine which areas may be contributing to the high CPU usage. If this alarm persists, collect system performance data (such as the percentage of Memory, Page and VM usage, partition read and write bytes per second, the percentage of CPU usages of all the processes, and the processor IOWait percentage) and contact Cisco Technical Assistance Center (TAC).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "HM4EB24UKVCSHUWX1673014299049PDTTL67VWGG4BA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DigitAnalysisTimeoutAwaitingResponse)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LWNLBCUBI9OUE2591673014299049NWYB2SIS68SMUR"
}
]
},
{"rule_definition_id": "OSO437DVV39TWDL81673014299049EB9NCHOVOFQ90J",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LWNLBCUBI9OUE2591673014299049NWYB2SIS68SMUR"
}
]
}
]
},
{"correlation_rule_id": "H8VINT1LRD9I7UMS1673014299049EUY6CQT9SP6TGV",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50591 (InvalidIPNetPattern)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "An invalid IP address is configured in one or more SIP route patterns in Cisco Unified CM Administration.\nExplanation: An invalid IP address is configured in one or more SIP route patterns in Cisco Unified CM Administration.\nRecommended Action: In Cisco Unified CM Administration, verify that the route pattern associated with the device that is identified in this alarm has an accurate and working IP address. You can learn more how to ensure that the IP address is valid by reviewing RFC 2373.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "YDVPV9IVFAG3JNY81673014299049DVTXVH2P4VOXLX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(InvalidIPNetPattern)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "H8VINT1LRD9I7UMS1673014299049EUY6CQT9SP6TGV"
}
]
},
{"rule_definition_id": "XVCF58FOTD49E3TU1673014299049IBUMM9MRQUSAD7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "H8VINT1LRD9I7UMS1673014299049EUY6CQT9SP6TGV"
}
]
}
]
},
{"correlation_rule_id": "GOXCM21G3SC2TS901673014299049Q0GEHFRX3TM77Q",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50592 (FailedToFulfillDirectiveFromPDP)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM cannot fulfill the call routing directive returned by the policy decision point.\nExplanation: A routing directive from the policy decision point (PDP) cannot be fulfilled. This could occur because the call was cleared by a CTI application before Unified CM was able to route it to the location defined by the PDP; because a call that was allowed by a policy server was redirected by the CTI application to a destination; because the annunciator ID was misconfigured in the PDP; or because Unified CM attempted to invoke a media resource such as Annunciator but no resources were available.\nRecommended Action: In many cases, a failure to fulfill a routing directive occurs because of intervention by a CTI application which scoops up the call before Unified CM is able to fulfill the routing directive in the PDP. If CTI interaction is having a negative effect, examine the CTI application to ensure that the call is in alerting or connected state before CTI begins to interact with the call. If the failure is caused by a problem with the annunciator ID, check to be sure the ID has been accurately configured in the PDP and that it exists in Unified CM Administration. If the failure was caused by a lack of media resources, try increasing the Annunciator Call Count service parameter in the Cisco IP Voice Media Streaming App service.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "O31JTXLOK0KDC1P7167301429904987LD4S1M8SXOFE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(FailedToFulfillDirectiveFromPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GOXCM21G3SC2TS901673014299049Q0GEHFRX3TM77Q"
}
]
},
{"rule_definition_id": "G3M5CV9QUQ8POM6H1673014299049UBQ3KS04EY5AS7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GOXCM21G3SC2TS901673014299049Q0GEHFRX3TM77Q"
}
]
}
]
},
{"correlation_rule_id": "P1RWP97EHEEKS6EU16730142990494TEWIC2UNPBDNV",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50593 (FailureResponseFromPDP)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The policy decision point returned a 4xx (client) or 5xx (server) status code in the HTTP response.\nExplanation: Unified CM received a 4xx or 5xx response from the policy decision point (PDP). A 4xx response indicates errors in the call routing request from Unified CM, for example: a 400 response indicates the call routing request could not be understood by the PDP; a 404 indicates that the PDP did not find a matching request URI. A 5xx error indicates a PDP server error, for example: a 500 response indicates a PDP internal error; a 501 response indicates that the PDP does not support the functionality to generate a call routing response; a 503 indicates that the PDP is busy and temporarily cannot generate a response; a 505 indicates that the HTTP version number included in the call routing request from Unified CM is not supported. Other such errors may be responsible; please refer to generally available guidelines on HTTP or check RFC 2616 for detailed explanations about HTTP Status Code definitions.\nRecommended Action: If a 4xx response caused the alarm, verify that the PDP has been accurately configured for the functionality and call routing that you expect it to perform. If a 500 response causes the alarm, check whether the PDP service is active and check the PDP server's log files for any errors. If a 503 causes the alarm, the PDP may be overloaded by requests. Take appropriate action to reduce the load on the PDP by following some or all of these recommendations: 1) consider adding more PDPs and provisioning Unified CM with additional external call control profiles and external call control trigger points in the various configuration pages under the Call Routing menu in Cisco Unified CM Administration; 2) provision a pair of policy servers per external call control profile to enable load balancing; or 3) verify that the PDP server in your deployment meets or exceed the hardware requirements specified in the documentation for Cisco Enterprise Policy Manager (CEPM) or the third-party PDP solution you have deployed. If a 505 response causes the alarm, check to be sure that the PDP supports HTTP version 1.1.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "VRNQWPSJTXC996Y31673014299049DB97671NPESCL2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(FailureResponseFromPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P1RWP97EHEEKS6EU16730142990494TEWIC2UNPBDNV"
}
]
},
{"rule_definition_id": "V598OTFQY9K5QPE016730142990499631T2HPO057YH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P1RWP97EHEEKS6EU16730142990494TEWIC2UNPBDNV"
}
]
}
]
},
{"correlation_rule_id": "GL6G7M5NTVQ73QDC1673014299049XXSCNH3HCPV54J",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50594 (ConnectionFailureToPDP)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A connection request from Unified CM to the policy decision point failed.\nExplanation: A connection request to the policy decision point (PDP) failed. Failure may have been due to a network error causing limited or no connectivity between Unified CM and the PDP; because of authentication errors when Unified CM established an HTTPS connection to the PDP; or because the PDP was not in service.\nRecommended Action: Verify that network connectivity exists between Unified CM and the PDP by pinging the policy server host from Cisco Unified OS Administration and take steps to establish connectivity if it has been lost. If the connection failure is due to an authentication problem, verify that the valid certificate of the PDP has been imported to Cisco Unified OS Administration and certificates from every node in the Unified CM cluster have been imported to every node in the PDP. Also, make sure that the PDP service is active.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "L3EHJDMTKID0O5U116730142990499XMJSC72C1GQQD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConnectionFailureToPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GL6G7M5NTVQ73QDC1673014299049XXSCNH3HCPV54J"
}
]
},
{"rule_definition_id": "IQOXVFJJ0H1XBNH116730142990494EXMFMII94N65A",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GL6G7M5NTVQ73QDC1673014299049XXSCNH3HCPV54J"
}
]
}
]
},
{"correlation_rule_id": "L1XICXU8A7GXTM9V1673014299049U3WY763NJNGCSO",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50595 (ConnectionToPDPInService)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A connection was successfully established between Unified CM and the policy decision point.\nExplanation: A successful connection from Unified CM to the policy decision point (PDP) has been established.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "BRAB9JXSJTRM9U0P1673014299049NTDJ3P5WG9LC29",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConnectionToPDPInService)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "L1XICXU8A7GXTM9V1673014299049U3WY763NJNGCSO"
}
]
},
{"rule_definition_id": "K9KCT5TSLQ59O5AX1673014299049HRN4NQ7DUYPJ2Q",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "L1XICXU8A7GXTM9V1673014299049U3WY763NJNGCSO"
}
]
}
]
},
{"correlation_rule_id": "TLG8ECX4HPEQ7N6O1673014299049QMAFAVARFBGSEI",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50596 (AwaitingResponseFromPDPTimeout)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM timed out waiting for the routing response from the policy decision point.\nExplanation: Unified CM did not receive a call routing response from the policy decision point (PDP) within the time specified by either the Cisco CallManager service parameter, Call Intercept Routing Request Timer, or on the Call Intercept Profile Configuration window in Cisco Unified CM Administration.\nRecommended Action: Check whether the PDP is in service and working normally. Verify that the PDP is not overloaded; if it is, take appropriate action to reduce the load on the PDP by following some or all of these recommendations: 1) consider adding more PDPs and provisioning Unified CM with additional call intercept profiles and call intercept trigger points in the various configuration pages under the Call Routing menu in Cisco Unified CM Administration; 2) provision a pair of policy servers per call-intercept profile to enable load balancing; or 3) verify that the PDP server in your deployment meets or exceed the hardware requirements specified in the documentation for Cisco Enterprise Policy Manager (CEPM) or the third-party PDP solution you have deployed. If necessary, increase the value in the Cisco CallManager service parameter, Call Intercept Routing Request Timer or the value in the Call Intercept Profile for this PDP.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "K44YFLEWR30EH5I91673014299049H1D4971TDMDOJA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(AwaitingResponseFromPDPTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "TLG8ECX4HPEQ7N6O1673014299049QMAFAVARFBGSEI"
}
]
},
{"rule_definition_id": "HYG6P17V9JVWMVNY16730142990499KUBQS5HXKYH2F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "TLG8ECX4HPEQ7N6O1673014299049QMAFAVARFBGSEI"
}
]
}
]
},
{"correlation_rule_id": "BE9A9GOHPQGW6WEF1673014299049O9D027JA27OSS7",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50597 (ErrorParsingDirectiveFromPDP)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM failed to parse the call routing directive or the diversion destination in the call routing response from the policy decision point.\nExplanation: A routing response was received but Unified CM failed to parse the mandatory elements in the response. This means that a call routing directive or the call diversion destination could not be parsed correctly, or that the call routing directive was not recognized. The error may due to a syntax error or because the call routing directive is missing or the call diversion destination is missing in the call routing response.\nRecommended Action: Check the external call control documentation, including any applicable API documentation, to determine whether the call routing directive that was included as part of the policy obligations in the call routing response are correctly entered according to the information defined in the external call control documentation.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "DKXV762POKELUFJC1673014299049B1YS17OP3U4AI7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ErrorParsingDirectiveFromPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "BE9A9GOHPQGW6WEF1673014299049O9D027JA27OSS7"
}
]
},
{"rule_definition_id": "TM2TC9PK34O2TS9K1673014299049OXE0R5E230HLVG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "BE9A9GOHPQGW6WEF1673014299049O9D027JA27OSS7"
}
]
}
]
},
{"correlation_rule_id": "W5GJBKHPA5JFBVS31673014299049J3XHPX17S65HFT",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50598 (ErrorParsingResponseFromPDP)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM failed to parse one or multiple optional elements or attributes in the call routing response from the policy decision point.\nExplanation: A routing response was received from the policy decision point (PDP) but Unified CM failed to parse the optional elements in the response. Optional elements may include modified calling numbers or called numbers, call reject or call diversion reasons, and so on. The cause may be a syntax error or missing attributes in the call routing response.\nRecommended Action: Confirm that the call routing response from the policy decision point complies with the guidelines specified for external call control in the Cisco Unified Communications Manager documentation. Confirm that any optional elements included as the policy obligations in the call routing response are correctly entered according to the external call control documentation, including any applicable API documentation.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "CAM4DF7YWLEH13OQ1673014299049MBVPMU0OXWID5F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ErrorParsingResponseFromPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "W5GJBKHPA5JFBVS31673014299049J3XHPX17S65HFT"
}
]
},
{"rule_definition_id": "WAYPA6GWBO3OCVWC1673014299050TNMKWKYO7IOYII",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "W5GJBKHPA5JFBVS31673014299049J3XHPX17S65HFT"
}
]
}
]
},
{"correlation_rule_id": "N5VJX1FEE96539SG1673014299050AKIV6H5IGEYI26",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50599 (CallAttemptBlockedByPolicy)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A call was attempted but blocked or rejected by the policy decision point.\nExplanation: A call was rejected or blocked because it violated the enterprise policy as defined in a policy decision point (PDP) that was configured in Unified CM. The policy server returns a call reject decision stating that a policy violation was the reason for rejecting the call. Calls may be rejected because an unauthorized user attempted to dial a DN or pattern that is not allowed for him or her or because a call forward directive was invoked and the destination specified in the call forward operation violated the policy. Depending on email configuration in Real-Time Monitoring Tool (RTMT), the system may have generated an email alert when the call was rejected.\nRecommended Action: Evaluate the information provided in this alarm (caller's user ID, to and from DNs, and so on) to determine if the call attempt was an innocent mistake to dial a number that the user didn't realize was not routable for him or her, or to discover whether the user is intentionally trying to circumvent the policy restrictions. If the rejected call was caused by an innocent mistake, educate the affected user about the numbers that he or she is allowed to dial. Your organization may have a policy or guidelines to follow when investigating call rejects. In addition to or instead of the steps recommended here, please refer to your company's guidelines.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "MO459BG3BSFLAJ291673014299050M4Q11IA5RJB0KW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallAttemptBlockedByPolicy)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "N5VJX1FEE96539SG1673014299050AKIV6H5IGEYI26"
}
]
},
{"rule_definition_id": "T9NORTTWSRJXAFPM1673014299050WOSNCA4F6D6OJ7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "N5VJX1FEE96539SG1673014299050AKIV6H5IGEYI26"
}
]
}
]
},
{"correlation_rule_id": "B1WS3I0Y185QMG2216730142990506H79UEIVVT5OAL",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50600 (ServicePortOnline)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A Cisco CallManager service port is online.\nExplanation: Unified CM has successfully opened a socket port to provide service.\nRecommended Action: Notification purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "KEGCEFKWIT9MEOVF1673014299050H0U1XEM23KUS5R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ServicePortOnline)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "B1WS3I0Y185QMG2216730142990506H79UEIVVT5OAL"
}
]
},
{"rule_definition_id": "OKX3QHB5BOW5IU8O167301429905081GSMV24XXWJE7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "B1WS3I0Y185QMG2216730142990506H79UEIVVT5OAL"
}
]
}
]
},
{"correlation_rule_id": "FUG7XVSPI6A1C32V1673014299050NU2WF77G8AWQOM",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50601 (ServicePortOffline)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A Unified CM service port is offline.\nExplanation: A Unified CM socket port that is used to provide service has unexpectedly closed; Unified CM will attempt to reopen this port. Normally, this port should never be closed. An unexpected closing of this port generally indicates an operating system failure or an external attack on Unified CM.\nRecommended Action: Verify that Unified CM is able to reopen this socket port and provide service. You can watch for an instance of the notice level alarm, ServicePortOnline, when service to the port has been restored. If the port is not reopened and service restored, restart the Cisco CallManager service. If this alarm occurs for an extended duration, collect the existing trace files and contact the Cisco Technical Assistance Center (TAC).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "JN9TX7X3J9POQFUE16730142990500KJM1OM25FERY9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ServicePortOffline)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FUG7XVSPI6A1C32V1673014299050NU2WF77G8AWQOM"
}
]
},
{"rule_definition_id": "UA13XO0SHAUCT7JI1673014299050H0T6OHTHMWRI57",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FUG7XVSPI6A1C32V1673014299050NU2WF77G8AWQOM"
}
]
}
]
},
{"correlation_rule_id": "JAK11MGUEDIV0Y8E1673014299050RC7PWO6TYK2SNK",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50602 (SuspiciousIPAddress)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM has identified suspicious connection attempts from an IP address.\nExplanation: Unified CM has identified suspicious connection attempts from an IP address and has temporarily blocked the address. This alarm is an indication that a Denial-of-Service attack may have been attempted from this IP address.\nRecommended Action: Examine network activity for repeated attempts to access the port number specified in this alarm. Using the IP address specified in this alarm, attempt to identify the device that has been sending connection attempts to the port. If the IP address belongs to a device that is configured in Unified CM, evaluate the possible reason for such numerous connection attempts. Generally, no device that is functioning properly will trigger this alarm. Reset the device or remove the device from the network.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "NN8YC262ICN7E6YW1673014299050AX0NC0DRRH3X36",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SuspiciousIPAddress)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JAK11MGUEDIV0Y8E1673014299050RC7PWO6TYK2SNK"
}
]
},
{"rule_definition_id": "JC9NNMDAHC30T5W01673014299050GSLQJPDJ3SXGHP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JAK11MGUEDIV0Y8E1673014299050RC7PWO6TYK2SNK"
}
]
}
]
},
{"correlation_rule_id": "U8VFD9NFOL0RIEOO1673014299050BSSCW7W7U3IOIU",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50603 (LostConnectionToSAFForwarder)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Connection to the SAF Forwarder has been lost.\nExplanation: A TCP connection failure caused the connection between the SAF Forwarder and Unified CM to be lost. When the TCP connection is restored, Unified CM attempts to connect to the SAF Forwarder automatically. If IP connectivity is unreachable for longer than the duration of the Cisco CallManager service parameter CCD Learned Pattern IP Reachable Duration, calls to learned patterns will be routed through the PSTN instead. Calls through the PSTN to learned patterns will be maintained for a certain period of time before the PSTN failover times out.\nRecommended Action: Investigate possible causes of a TCP connection failure, such as power failure, loose cables, incorrect switch configuration, and so on, and correct any issues that you find. After the connection is restored, CCD will try to register/sync with the SAF Forwarder automatically.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "HBULUYX8BKP8SUKM16730142990507ISY0GHKWBK9WY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(LostConnectionToSAFForwarder)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "U8VFD9NFOL0RIEOO1673014299050BSSCW7W7U3IOIU"
}
]
},
{"rule_definition_id": "CDPMEDMJDPC9SAGV1673014299050875TB91SBC915N",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "U8VFD9NFOL0RIEOO1673014299050BSSCW7W7U3IOIU"
}
]
}
]
},
{"correlation_rule_id": "XUAT7T6C5GEUMEBM1673014299050S37PAKNK39ILOQ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50604 (SAFForwarderError)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "SAF Forwarder error response sent to Unified CM.\nExplanation: Unified CM received an error from the SAF Forwarder.\nRecommended Action: Refer to the reason code and description (help text) for specific information and actions (where applicable) for this alarm.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "OD8SRNAK1NFALSP81673014299050GRWVQHVRYKH6LY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SAFForwarderError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XUAT7T6C5GEUMEBM1673014299050S37PAKNK39ILOQ"
}
]
},
{"rule_definition_id": "YXBOIGGPU4QO8P8O1673014299050R8LG98FO3DXN66",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XUAT7T6C5GEUMEBM1673014299050S37PAKNK39ILOQ"
}
]
}
]
},
{"correlation_rule_id": "CH6N387PNAS0R91B1673014299050LVFHA87TRUI6I1",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50605 (SAFUnknownService)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM does not recognize the service ID in a Publish Revoke or Withdraw message.\nExplanation: Unified CM received a Publish Revoke message or Withdraw message from the SAF Forwarder but the service ID in the message is not recognized by Unified CM. Unified CM may not recognize the service ID if the service ID was mistyped in the Publish Revoke CLI command, or if the service was previously withdrawn.\nRecommended Action: This alarm is for informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "L5NRGUK7SNMCQ6DJ1673014299050DA2BPOP3KGDFVO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SAFUnknownService)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CH6N387PNAS0R91B1673014299050LVFHA87TRUI6I1"
}
]
},
{"rule_definition_id": "HWAT3P6VRR5H66381673014299050LS55VOIIUMA7B3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CH6N387PNAS0R91B1673014299050LVFHA87TRUI6I1"
}
]
}
]
},
{"correlation_rule_id": "YMKJRLWGR5EUX5741673014299050N44NR7NJC1NK8L",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50606 (SAFPublishRevoke)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A CLI command revoked the publish action for the specified service or subservice ID.\nExplanation: A system administrator issued a CLI command on the SAF Forwarder router to revoke the publish action for the service or subservice ID specified in this alarm.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "RII0P5YKIK2ICGMB1673014299050OT43V8908LEP6D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SAFPublishRevoke)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YMKJRLWGR5EUX5741673014299050N44NR7NJC1NK8L"
}
]
},
{"rule_definition_id": "E5IGG0BV5FBWPFA51673014299050NFCXVVA3HK5DOL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YMKJRLWGR5EUX5741673014299050N44NR7NJC1NK8L"
}
]
}
]
},
{"correlation_rule_id": "JHJS6G6JMV15CO2M1673014299050B6T06TALROWAJ1",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50607 (SAFResponderError)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "SAF Responder Error 500.\nExplanation: This is raised when SAF forwarder doesn't know the transaction ID within SAF response from this Unified CM.\nRecommended Action: No action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "DVOSO7P90UPLMQ8W1673014299050RFXHY1DOSQB9XW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SAFResponderError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JHJS6G6JMV15CO2M1673014299050B6T06TALROWAJ1"
}
]
},
{"rule_definition_id": "JD88RJ68REQWEUGD1673014299050LR32COAOVARXVM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JHJS6G6JMV15CO2M1673014299050B6T06TALROWAJ1"
}
]
}
]
},
{"correlation_rule_id": "NKDPJS2KVO3WQS0A1673014299050GCLTSY5XD9D3XW",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50608 (DuplicateLearnedPattern)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "CCD requesting service received a duplicate Hosted DN.\nExplanation: The Call Control Discovery (CCD) requesting service received the same hosted DN from multiple call control entities such as Unified CM Express or another Unified CM cluster. The Cisco CallManager service parameter, Issue Alarm for Duplicate Learned Patterns, controls whether this alarm gets issued.\nRecommended Action: In RTMT, check the Pattern Report (CallManager > Report > Learned Pattern) and look for the duplicate pattern identified in this alarm. Learned patterns must be unique. Determine which call control entity (such as Unified CM or Unified CM Express) needs to be changed so that there is no duplicate pattern. Refer to the call control entity's configuration guide (help text) to learn how to update a hosted DN pattern. In Unified CM, to change the Hosted DN Pattern go to Cisco Unified CM Administration to update the Hosted DN Pattern configuration (Call Routing > Call Control Discovery > Hosted DN Patterns).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "X3O5MW8W8UH5AJVU1673014299050IASLUU5SYXMONJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DuplicateLearnedPattern)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "NKDPJS2KVO3WQS0A1673014299050GCLTSY5XD9D3XW"
}
]
},
{"rule_definition_id": "Y9GH9V5TYWWSBNHG1673014299050XC03YH2M0PYA4M",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NKDPJS2KVO3WQS0A1673014299050GCLTSY5XD9D3XW"
}
]
}
]
},
{"correlation_rule_id": "STIJTYUJMF11YWCT16730142990508D4VYTJ9I74CPP",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50609 (CCDIPReachableTimeOut)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "CCD Requesting Service IP Reachable Duration Time Out.\nExplanation: The CCD requesting service detected that it can no longer reach the learned patterns through IP. All learned patterns from this forward will be marked as unreachable (via IP) and to allow calls to learned patterns to continue to be routed until IP becomes reachable again, all calls to learned patterns will be routed through the PSTN. Calls can be routed through the PSTN for a certain period of time before PSTN failover times out.\nRecommended Action: Check IP connectivity and resolve any TCP or IP problems in the network.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "H68PPCY5PL2NRCHL1673014299050NTXD3E02POQ419",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CCDIPReachableTimeOut)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "STIJTYUJMF11YWCT16730142990508D4VYTJ9I74CPP"
}
]
},
{"rule_definition_id": "UFVX8S72LIHNRABS1673014299050P7P1X8M36JLO9G",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "STIJTYUJMF11YWCT16730142990508D4VYTJ9I74CPP"
}
]
}
]
},
{"correlation_rule_id": "WTCLK8FOH52CJM4F1673014299050ITD1VBYFOGEJ65",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50610 (CCDPSTNFailOverDurationTimeOut)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The internal limit on PSTN failover has expired.\nExplanation: When learned patterns are not reachable through IP, Unified CM routes calls through the PSTN instead. Calls can be routed through PSTN for an internally-controlled duration. When this alarm occurs, the PSTN failover duration has expired and calls to learned patterns cannot be routed. All learned patterns will be purged from Unified CM.\nRecommended Action: Troubleshoot your network to get IP connectivity restored. After IP connectivity is restored, Unified CM will automatically relearn Hosted DN patterns and calls to learned patterns will proceed through IP.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "BI6TMTPC5X33BCKX1673014299050X49JE1548PO3HC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CCDPSTNFailOverDurationTimeOut)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WTCLK8FOH52CJM4F1673014299050ITD1VBYFOGEJ65"
}
]
},
{"rule_definition_id": "LW34EE6X9V9EETT91673014299050M1B3U5D6U57PLV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WTCLK8FOH52CJM4F1673014299050ITD1VBYFOGEJ65"
}
]
}
]
},
{"correlation_rule_id": "HGRD12EMQDFQINVJ1673014299050FBHW38E8CTFMK9",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50611 (CCDLearnedPatternLimitReached)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "CCD has reached the maximum number of learned patterns allowed.\nExplanation: The CCD requesting service has limited the number of learned patterns to a number defined in the service parameter, CCD Maximum Numbers of Learned Patterns. This alarm inidcates that the CCD requesting service has met the maximum number of learned patterns allowed.\nRecommended Action: This alarm displays the value that is configured in the Cisco CallManager service parameter, CCD Maximum Numbers of Learned Patterns, as well as the maximum number of learned patterns that are allowed by the system (an internally-controlled maximum). Consider whether the specified maximum number of learned patterns is correct for your deployment. If it is too low, compare it with the number shown in the SystemLimitCCDLearnedPatterns in this alarm. If the Max number is below the System Limit, you can go to the Service Parameters Configuration window and increase the CCD Maximum Numbers of Learned Patterns service parameter. If the Max and System Limit numbers match, the system is already configured to run at capacity of learned patterns; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "HD75IO02AWXSSGM416730142990505QL9DWXF7Q75O4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CCDLearnedPatternLimitReached)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "HGRD12EMQDFQINVJ1673014299050FBHW38E8CTFMK9"
}
]
},
{"rule_definition_id": "XWU10HK84XP3ER0Y1673014299050SCDR9BDRA36US5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "HGRD12EMQDFQINVJ1673014299050FBHW38E8CTFMK9"
}
]
}
]
},
{"correlation_rule_id": "SCP2BJ8EB8YU567C167301429905027PRQRJBQ9IYHO",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50612 (DbInsertValidatedDIDFailure)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "The Insertion of an IME-provided E.164 DID has failed.\nExplanation: A failure occurred attempting to insert a Cisco Unified Active Link learned DID.\nRecommended Action: Verify the DID and the granting domain. Check other associated alarms. Verify the database integrity.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "LKMNV6CIY3BH578J1673014299050AO0T7AQJ1ICRM1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DbInsertValidatedDIDFailure)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "SCP2BJ8EB8YU567C167301429905027PRQRJBQ9IYHO"
}
]
},
{"rule_definition_id": "S2MPEUV97DWLF5F516730142990502VOULAY2OPPE34",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SCP2BJ8EB8YU567C167301429905027PRQRJBQ9IYHO"
}
]
}
]
},
{"correlation_rule_id": "X1WNT1V8XISI3TS91673014299050MP55M8KRCJTDSP",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50613 (TCPSetupToIMEFailed)",
"threat_score": 60,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Connection Failure to IME server.\nExplanation: This alarm occurs when Unified CM is unable to establish a TCP connection to an IME server. It typically occurs when the IP address and port of the IME server are misconfigured or an Intranet connectivity problem is preventing the connection from being set up.\nRecommended Action: Check to make sure that the IP address and port of the IME server - which are present in the alarm - are valid. If so, this may be due to a network connectivity problem. Test the connectivity between Unified CM servers and the IME server.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "IREJXDHC95H7YQ881673014299050NUFACOXXG2J1VN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(TCPSetupToIMEFailed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X1WNT1V8XISI3TS91673014299050MP55M8KRCJTDSP"
}
]
},
{"rule_definition_id": "LJU5XLKUPGW9MVA21673014299050UUOG5T3HCQAWME",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "X1WNT1V8XISI3TS91673014299050MP55M8KRCJTDSP"
}
]
}
]
},
{"correlation_rule_id": "NEYTB6YR8CSEILKM1673014299050XGF4TMJHF8VNQM",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50614 (TLSConnectionToIMEFailed)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "TLS Failure to IME service.\nExplanation: A TLS connection to the IME server could not be established because of a problem with the certificate presented by the IME server. (For example, not in the Unified CM CTL, or is in the CTL but has expired).\nRecommended Action: Check to see that the certificate of the IME server is configured properly in the UCM.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "BF3SMGMK78VMXQ2O1673014299050HQYFWPWQGYWBYP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(TLSConnectionToIMEFailed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "NEYTB6YR8CSEILKM1673014299050XGF4TMJHF8VNQM"
}
]
},
{"rule_definition_id": "W1QO96JL2BPYFA761673014299050JTE8GOTHDF9GUU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NEYTB6YR8CSEILKM1673014299050XGF4TMJHF8VNQM"
}
]
}
]
},
{"correlation_rule_id": "JN0033I8RAB31E6P1673014299050HYJK5EPIXK0CC7",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50615 (InvalidCredentials)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Credential Failure to IME server.\nExplanation: The connection to the IME server could not be completed, because the username and/or password configured on Unified CM do not match those configured on the IME server.\nRecommended Action: The alarm will include the username and password which were used to connect to the IME server, along with the IP address of the target IME server and its name. Log into the IME server and check that the username and password configured there match those configured in Unified CM.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "M6H4REK38WN55DGO1673014299050CPQHBUVIPUDN10",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(InvalidCredentials)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JN0033I8RAB31E6P1673014299050HYJK5EPIXK0CC7"
}
]
},
{"rule_definition_id": "OYXM4HRKKROLADTA1673014299050OARHQP70DPVQII",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JN0033I8RAB31E6P1673014299050HYJK5EPIXK0CC7"
}
]
}
]
},
{"correlation_rule_id": "OB56SFCEO155NTVX1673014299050Q2NXF2H8IOI6A4",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50616 (IMEOverQuota)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "IME over quota.\nExplanation: Each IME server has a fixed quota on the total number of DIDs it can write into the IME distributed cache. When this alarm is generated, it means that, across all of the Unified CM clusters which are utilizing the same IME server, the quota for the IME distributed cache has been exceeded.\nRecommended Action: The alarm will include the name of the IME server, and the current and target quota values. The first thing to check is to make sure that you have correctly provisioned the right set of DID prefixes on all of the Unified CM clusters sharing that same IME server. If that is correct, it means you have exceeded the capacity of your IME server, and you require another. Once you have another, you can now split your DID prefixes across two different IME client instances, each on a different IME server. That will alleviate the quota problem.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "L3EJN32GH23P5IOK1673014299050C2OTBTKIUDEQYI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(IMEOverQuota)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "OB56SFCEO155NTVX1673014299050Q2NXF2H8IOI6A4"
}
]
},
{"rule_definition_id": "LSBVGHXNE1YVGKF41673014299050KAKVWFDMWK3HFB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "OB56SFCEO155NTVX1673014299050Q2NXF2H8IOI6A4"
}
]
}
]
},
{"correlation_rule_id": "HXC4P3BHY9A4BP791673014299050XGECPFYJL08PUR",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50617 (PublishFailedOverQuota)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Publish Failed - over Quota.\nExplanation: Each IME server has a fixed quota on the total number of DIDs it can write into the IME distributed cache. When this alarm is generated, it means that, even though you should be under quota, due to an extremely unlikely statistical anomaly, the IME distributed cache rejected your publication, believing you were over quota. You should only see this alarm if you are near, but below, your quota. This error is likely to be persistent, so that the corresponding E.164 number from the alarm will not be published into the IME distributed cache. This means that you will not receive VoIP calls towards that number - they will remain over the PSTN.\nRecommended Action: The alarm will include the name of the IME server, and the current and target quota values. The first thing to check is to make sure that you have correctly provisioned the right set of DID prefixes on all of the Unified CM clusters sharing that same IME server on the same IME distributed cache. If that is correct, it means you have exceeded the capacity of your IME server, and you require another. Once you have another, you can now split your DID prefixes across two different IME client instances, each on a different IME server. That will alleviate the quota problem.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "KPFAQQARTJQBA29L167301429905071GJK6XUAU8738",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PublishFailedOverQuota)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "HXC4P3BHY9A4BP791673014299050XGECPFYJL08PUR"
}
]
},
{"rule_definition_id": "L1BBKLS3WMXO2SND1673014299050E3NN5F3OOU32S3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "HXC4P3BHY9A4BP791673014299050XGECPFYJL08PUR"
}
]
}
]
},
{"correlation_rule_id": "K6KXHFTJLOB4SLYL1673014299050BDJG63EY6WJ2C7",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50618 (PublishFailed)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Publish Failed.\nExplanation: Unified CM attempted to store a number into the IME distributed cache, but the attempt failed. This is typically due to a transient problem in the IME distributed cache. The problem will self-repair under normal conditions. However, you should be aware that, as a consequence of this failure, the E.164 DID listed as part of the alarm will not be present in the IME distributed cache for a brief interval. Consequently, this may delay the amount of time until which you will receive VoIP calls made to that number - they may continue over the PSTN for some callers. It is useful to be aware of this, in case you are trying to understand why a call is not being made over VoIP.\nRecommended Action: If you notice single small numbers of this alarm in isolation, no action is required on your part. However, a large number of them indicates a problem in the IME distributed cache, most likely due to problems with Internet connectivity. Check your Internet connectivity.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "D5Q229I5NNA9W9RT1673014299050K4A3JLY8XPU26T",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PublishFailed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "K6KXHFTJLOB4SLYL1673014299050BDJG63EY6WJ2C7"
}
]
},
{"rule_definition_id": "NRJJA6UE4GCJUCWV1673014299050UWNKJDUC5080PJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "K6KXHFTJLOB4SLYL1673014299050BDJG63EY6WJ2C7"
}
]
}
]
},
{"correlation_rule_id": "I6BVKYS1AFVSHAAC16730142990505KGLKA8AI30VJT",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50619 (IMEDistributedCacheInactive)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Inactive IME distributed cache.\nExplanation: This alarm is generated when Unified CM attempts to connect to the IME server, however, the IME distributed cache is not currently active.\nRecommended Action: Check to make sure that the IME certificate is provisioned on the IME server. Check to make sure that the IME distributed cache has been activated via the CLI on the IME server.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "LUT6XJ37C39GBNLN1673014299050VN12VYKRXQFYUT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(IMEDistributedCacheInactive)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "I6BVKYS1AFVSHAAC16730142990505KGLKA8AI30VJT"
}
]
},
{"rule_definition_id": "WO5V3VXSVBF1BBWX1673014299050KA9T8PBKUNAKRG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "I6BVKYS1AFVSHAAC16730142990505KGLKA8AI30VJT"
}
]
}
]
},
{"correlation_rule_id": "RLM13RN0KRV7UJBS1673014299050TAACU5XP4NVTTS",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50620 (RejectedRoutes)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Rejected route due to Untrusted status.\nExplanation: This alarm is generated when Unified CM learned a route from the IME server. However, due to the configured Trusted/Untrusted list, the route was rejected.\nRecommended Action: This condition is not an error. However, it indicates to you that one of your users called a number which was reachable over IME, however, due to your configured Trusted/Untrusted list, a IME call will not be made. You might wish to consider adding the domain or prefix to your Trusted list or removing it from the Untrusted list.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "W55GM41NRSBKXPO516730142990500P1M3H8HTCGIPM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RejectedRoutes)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "RLM13RN0KRV7UJBS1673014299050TAACU5XP4NVTTS"
}
]
},
{"rule_definition_id": "K2FB4LTWBIF0TQR016730142990500FFVFVX9INAN9P",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "RLM13RN0KRV7UJBS1673014299050TAACU5XP4NVTTS"
}
]
}
]
},
{"correlation_rule_id": "XSKQ6S0DIPRTI86U1673014299050NLBMJ0Y7WV8RCJ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50621 (PublicationRunCompleted)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Completion of publication of published DID patterns.\nExplanation: This alarm is generated when Unified CM completes a publication of the DID patterns into the Cisco Intercompany Media Network.\nRecommended Action: This alarm is provided for historic and informational purposes. It can be used to give you feedback that the system is working and is correctly publishing numbers into the Cisco Intercompany Media Network. It can also be used for troubleshooting. If some of the publishes fail for some reason, the alarm will contain a list of those numbers which were not published. If your users are receiving calls, and they are not over IP but you think they ought to be, you can check the history of these alarms to see if the number failed to be published into the network.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "IYW6K2AVK2SKJG1E1673014299050N10N9A0GHXVR4V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PublicationRunCompleted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XSKQ6S0DIPRTI86U1673014299050NLBMJ0Y7WV8RCJ"
}
]
},
{"rule_definition_id": "EJ85RIJKXP1A6YXW1673014299050WNNEPOQHG8EHRG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XSKQ6S0DIPRTI86U1673014299050NLBMJ0Y7WV8RCJ"
}
]
}
]
},
{"correlation_rule_id": "MT04I30ACQI29W841673014299050WWK9MUAMT4WX2Y",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50622 (RouteRemoved)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Route removed automatically.\nExplanation: This alarm is generated when Unified CM removes a route from Unified CM Administration because the route is stale and has expired, or because the far end has indicated the number is no longer reachable at that domain.\nRecommended Action: This alarm is provided for historic and informational purposes. It helps you understand why certain numbers are in your routing tables, and why others are not. This historical information is useful to help determine why a call to a particular number is not going over IP, when you expect it to.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "IG3TM9TEVU10NWXP1673014299050K0OUOMDSLAVWHM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RouteRemoved)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MT04I30ACQI29W841673014299050WWK9MUAMT4WX2Y"
}
]
},
{"rule_definition_id": "FXEX4VWX8LI5SMI21673014299050XH0HBB9HUFR1WC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MT04I30ACQI29W841673014299050WWK9MUAMT4WX2Y"
}
]
}
]
},
{"correlation_rule_id": "DBNCPE8HRNRRLTUB1673014299050R3KDKSBMMX5W29",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50623 (InsufficientFallbackIdentifiers)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Cannot allocate fallback identifier.\nExplanation: This alarm is generated when Unified CM is processing a IME call, and is attempting to allocate a PSTN fallback DID and a DTMF digit sequence to associate with this call. However, there are too many IME calls currently in progress which are utilizing this same fallback DID, and as a result, there are no more DTMF digit sequences which could be allocated to this call. As such, this call will proceed, however mid-call fallback will not be possible for this call.\nRecommended Action: Your first course of action should be to identify the fallback profile associated with this call. Its name will be present in the alarm. Check that profile in Cisco Unified CM Administration and examine the current setting for \"Fallback Number of Correlation DTMF Digits\". Increase that value by one, and check if that eliminates these alarms. In general, this parameter should be large enough such that the number of simultaneous IME calls made to enrolled numbers associated with that profile is always substantially less than 10 raised to the power of this number. \"Substantially\" should be at least a factor of ten. For example, if you always have less than 10,000 simultaneous IME calls for the patterns associated with this fallback profile, setting this value to 5 (10 to the power of 5 is 100,000) will give you plenty of headroom and you will not see this alarm. However, increasing this value also results in a small increase in the amount of time it takes to perform the fallback. As such, it should not be set arbitrarily large; it should be set just large enough to keep clear of this alarm. Another alternative to increasing this parameter is to add another fallback profile with a different fallback DID, and associate that fallback profile with a smaller number of enrolled DID patterns. This will allow you to get by with a smaller number of digits.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "AO8QND34JUD3RGYK1673014299050M89XF0LOWA10KB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(InsufficientFallbackIdentifiers)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "DBNCPE8HRNRRLTUB1673014299050R3KDKSBMMX5W29"
}
]
},
{"rule_definition_id": "PICA83YKBRNHG4GQ16730142990500DCTI9CG1QESQ8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "DBNCPE8HRNRRLTUB1673014299050R3KDKSBMMX5W29"
}
]
}
]
},
{"correlation_rule_id": "V86WK3QVC225G80V16730142990507H29ELS88LRMOE",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50624 (IMEQualityAlertEntry)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "IME call quality problem.\nExplanation: This alarm is generated when Unified CM is seeing a substantial number of IME calls fail back to PSTN, or fail to be set up, due to IP network quality problems. There are two triggers for this alarm. One is when a large fraction of the currently active IME calls have all requested fallback, or have fallen back, to the PSTN. The other is when a large fraction of the recent call attempts have not been made over IP, and instead have gone to the PSTN.\nRecommended Action: Check your IP connectivity, and make sure it is good. If it looks good in general, you may need to look at CDRs, CMRs, and logs from the firewalls to determine what happened.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "GSGS51VWT9S7FRJD1673014299050QVY2E89N8K1710",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(IMEQualityAlertEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "V86WK3QVC225G80V16730142990507H29ELS88LRMOE"
}
]
},
{"rule_definition_id": "EDB9K2X1OV1UGOB11673014299050DKKJIJJ025JB8R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "V86WK3QVC225G80V16730142990507H29ELS88LRMOE"
}
]
}
]
},
{"correlation_rule_id": "SX0QRG81SP24WVAA1673014299050E132RDJXX21J51",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50625 (IMEQualityAlertExit)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "IME call quality problem cleared.\nExplanation: This alarm is generated when the Unified CM sees a significant reduction in the number of failed IME calls following generation of the IMEQualityAlertEntry alarm. This notice alarm indicates that the IP connectivity issues causing the initial generation of the IMEQualityAlertEntry alarm have abated.\nRecommended Action: Continue to monitor IP connectivity for recurring issues.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "TFD6NITAMINSJK7316730142990503ESJQ833589NQJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(IMEQualityAlertExit)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "SX0QRG81SP24WVAA1673014299050E132RDJXX21J51"
}
]
},
{"rule_definition_id": "RYV2O7O8DW4L28F91673014299050R2BXOK6YB6IN70",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SX0QRG81SP24WVAA1673014299050E132RDJXX21J51"
}
]
}
]
},
{"correlation_rule_id": "F3CQA6BYDJREVTET1673014299050I04FATK1CIE125",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50626 (InvalidSubscription)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A message has been received from an IME server that contains a subscription identifier that is not handled by this node.\nExplanation: Each node that communicates with a IME server saves a subscription identifier associated with each IME client instance. A IME server has sent a message with a subscription identifier that does not match any of the previously sent subscription identifiers.\nRecommended Action: This may be a race condition if a IME client instance has been recently added or deleted. If this error continues, there may be a synchronization issue between this node and the IME server sending this message.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "GTYG6W7XH63MM23X167301429905099MBIUYYF0SJRV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(InvalidSubscription)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "F3CQA6BYDJREVTET1673014299050I04FATK1CIE125"
}
]
},
{"rule_definition_id": "POTANEKFD6MY5TOG1673014299050W59FIXJ3G1569Q",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F3CQA6BYDJREVTET1673014299050I04FATK1CIE125"
}
]
}
]
},
{"correlation_rule_id": "GO168H1DVNUPAT5P16730142990503JIKWBOQ2CHJWA",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50627 (FirewallMappingFailure)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Firewall unreachable.\nExplanation: This alarm indicates that Unified CM was unable to contact the firewall in order to make a IME call. As a consequence, outbound calls are being sent over the PSTN, and inbound calls may be routed over the PSTN by your partner enterprises.\nRecommended Action: Check to see that your firewall is up. Make sure the mapping service is enabled. Check that the IP address and port on the firewall for that mapping service match the configuration in Unified CM Administration. Check general IP connectivity between Unified CM and the firewall.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "RIM605VRF9SWFROJ16730142990505XEYQQPLUBLY2K",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(FirewallMappingFailure)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GO168H1DVNUPAT5P16730142990503JIKWBOQ2CHJWA"
}
]
},
{"rule_definition_id": "RXENHXUG75EM5O3V16730142990507HLP3CXC1U951D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GO168H1DVNUPAT5P16730142990503JIKWBOQ2CHJWA"
}
]
}
]
},
{"correlation_rule_id": "K8F0YS7SGB3AV2D21673014299050QXKHR0B3S0LL46",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50628 (ConflictingDataIE)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A call has been rejected because the incoming PRI/BRI Setup message had an invalid IE.\nExplanation: A call has been rejected because an incoming PRI/BRI Setup message contained an invalid Coding Standard value in the Bearer Capability information element (IE). Unified CM only accepts PRI/BRI Setup messages with Coding Standard values of 0 or 1. When an invalid IE is received, Unified CM rejects the call setup and issues this alarm.\nRecommended Action: Notify the service provider responsible for sending the Setup message that an IE with Coding Standard values of 0 or 1 must be included in Setup messages",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "VDAE5T8HP1QGPE9R1673014299050EM3HSWC6GCA9G0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConflictingDataIE)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "K8F0YS7SGB3AV2D21673014299050QXKHR0B3S0LL46"
}
]
},
{"rule_definition_id": "FSCHF5RWKRSVE8H716730142990505JFL7H66AVTWVU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "K8F0YS7SGB3AV2D21673014299050QXKHR0B3S0LL46"
}
]
}
]
},
{"correlation_rule_id": "WOOK6UGOCKE1GDUU1673014299050SIMJ0MLBFYSP8V",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50629 (CalledPartyTracing)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Called Party Tracing Match found.\nExplanation: A call attempt has been made to a called party number being traced. Please check the Called Party Tracing log.\nRecommended Action: Use the Real Time Monitoring Tool to check the Called Party Tracing log.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "CWGYL1NVGPJWAAL31673014299050DXIDGSUWYE9KSY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CalledPartyTracing)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WOOK6UGOCKE1GDUU1673014299050SIMJ0MLBFYSP8V"
}
]
},
{"rule_definition_id": "N7YLWM4YAFE8AMJI1673014299050JOF1SDF5HQ1WGQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WOOK6UGOCKE1GDUU1673014299050SIMJ0MLBFYSP8V"
}
]
}
]
},
{"correlation_rule_id": "DEJ5MNUJ9NUSYWF71673014299050Q7INMFBIDUXWYT",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50630 (DestinationCodeControlCallBlocked)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Call blocked by the Destination Code Control feature.\nExplanation: Cisco Unified Communications Manager generates this alarm when a Destination Code Control feature enabled Route Pattern blocks a call.The route pattern blocks a call when it comes in at a time when the number of call attempts has reached the percentage of calls set to be blocked on this route pattern.\nRecommended Action: This alarm is provided for historic and informational purposes. It helps understand why certain calls through the DCC feature enabled route patterns are rejected. This historical information is useful to help determine how many calls to a particular route pattern were attempted and how many out of them were blocked. This data would help the administrator verify whether the percentage of Calls Blocked by the DCC feature is as per the configured percentage.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "PCXQPFNWHBW21K0F1673014299050HMV5CCTQAM7GBK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DestinationCodeControlCallBlocked)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "DEJ5MNUJ9NUSYWF71673014299050Q7INMFBIDUXWYT"
}
]
},
{"rule_definition_id": "XHQA32AMDE89G8KC1673014299050ORS40LQ0REB1UR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "DEJ5MNUJ9NUSYWF71673014299050Q7INMFBIDUXWYT"
}
]
}
]
},
{"correlation_rule_id": "NLC2XL9GMAP3PYPV1673014299050UF9B31HB3ND8EQ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50631 (CorruptedIncomingDMPropagationMessage)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unified CM received a corrupted DMRemoteDeviceRegisterUnRegister message in internode communication.\nExplanation: Unified CM examines the incoming DMRemoteDeviceRegisterUnRegister messages to detect values in the message that are outside the normal expected range. Unified CM issues this alarm when the message is determined by Unified CM to contain values outside the normal range. Unified CM has discarded part of the contents of the incoming DMRemoteDeviceRegisterUnRegsister message due to the values that were out of range. This may cause an out-of-synch condition for the registered device's information between the sending node and this node, which in turn can lead to phone calls being routed incorrectly.\nRecommended Action: Make a note of the IP address/name of the remote CM node that generated this message. Around the timestamp of this alarm, save the SDL/SDI logs from this node and the remote node for analysis by Cisco TAC personnel. Next, at the first opportunity, restart the Cisco CallManager service on this node to ensure that the registered devices information throughout the cluster are in synch. Also, in Cisco Unified Serviceability, make sure to set the Unified CM SDI logs setting to Detailed to ensure collecting relevant logs should this alarm recur. If this alarm does occur again, contact Cisco TAC to help determine the source of DMRemoteDeviceRegisterUnRegister message corruption.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "LCYD7TDMFNC7NMNK1673014299050OP3N3B77GF71VK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CorruptedIncomingDMPropagationMessage)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "NLC2XL9GMAP3PYPV1673014299050UF9B31HB3ND8EQ"
}
]
},
{"rule_definition_id": "FUDSTNM5HLHYBY68167301429905082G4S4TMECULYH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NLC2XL9GMAP3PYPV1673014299050UF9B31HB3ND8EQ"
}
]
}
]
},
{"correlation_rule_id": "PJ3LXJOJ4HF9C29O1673014299050MP2RR7WKJGABDE",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50632 (UnEncryptedCallBlocked)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Unencrypted call is blocked because one or both of the parties are non-secure or does not support compatible encryption capabilities and the service parameter BlockUnencryptedCalls is set to true.\nExplanation: Unencrypted call is blocked because one or both of the parties are non-secure or does not support compatible encryption capabilities and the service parameter BlockUnencryptedCalls is set to true.\nRecommended Action: Informational purposes only; no action is required.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "HAGK4B6AI8U9T6041673014299050DSINQH7FTJ5YX9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(UnEncryptedCallBlocked)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "PJ3LXJOJ4HF9C29O1673014299050MP2RR7WKJGABDE"
}
]
},
{"rule_definition_id": "MNJB519IFP2MWLQJ1673014299050KDD7DU0IJ0SK4B",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "PJ3LXJOJ4HF9C29O1673014299050MP2RR7WKJGABDE"
}
]
}
]
},
{"correlation_rule_id": "KR9P7TLS2MEMJ3GO1673014299050A4N8FW8141UH3A",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50633 (RecordingGatewayRegistrationRejected)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Registration to recording-enabled gateway rejected after multiple attempts; gateway marked out-of-service.\nExplanation: gateway rejected registration request.\nRecommended Action: Cause value indicates reason registration was rejected. Check gateway web service api configuration. After configuration issue is resolved, reset SIP Trunk to attempt registration.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "KYYWOO8EYB9KA4DD1673014299050T1DARH3THJBO65",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewayRegistrationRejected)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "KR9P7TLS2MEMJ3GO1673014299050A4N8FW8141UH3A"
}
]
},
{"rule_definition_id": "KSCIDWH1K9UNMT221673014299050G97O70H45T16GE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "KR9P7TLS2MEMJ3GO1673014299050A4N8FW8141UH3A"
}
]
}
]
},
{"correlation_rule_id": "WERSTH6NC0EEYFWB1673014299050UDGMVANTCOK82F",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50634 (RecordingGatewayRegistrationTimeout)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "No response from recording-enabled gateway after multiple attempts; timeout occurred; gateway marked out-of-service.\nExplanation: Gateway registration request did not complete within the specified time limit.\nRecommended Action: Verify network connectivity between CUCM and gateway. Check IP address configuration. After configuration issue is resolved, reset SIP Trunk to attempt registration.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "DN231JXPQFN4VV5Q1673014299050JS78HVIK10KN6M",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewayRegistrationTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WERSTH6NC0EEYFWB1673014299050UDGMVANTCOK82F"
}
]
},
{"rule_definition_id": "USV4UG2NVOIBQ5YQ1673014299050K1SP7OIYTWEWU5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WERSTH6NC0EEYFWB1673014299050UDGMVANTCOK82F"
}
]
}
]
},
{"correlation_rule_id": "FBLG1F61ENU3MJT01673014299050T90O0OE0AJCII0",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50635 (RecordingGatewayOutOfService)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Recording-enabled gateway closed connection to Unified CM.\nExplanation: Gateway status changed from in-service to out-of-service.\nRecommended Action: Verify network connectivity between CUCM and gateway. Check IP address configuration. After configuration issue is resolved, reset SIP Trunk to attempt registration.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "IV6D78DB0VG2Y0KU1673014299050HRWY1FL95T637A",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewayOutOfService)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FBLG1F61ENU3MJT01673014299050T90O0OE0AJCII0"
}
]
},
{"rule_definition_id": "D2P0WBPHMQAYOVW71673014299050RUBSJXES7OMHQ6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FBLG1F61ENU3MJT01673014299050T90O0OE0AJCII0"
}
]
}
]
},
{"correlation_rule_id": "I4JCLUQFQQI4KK8Y1673014299050E1DRR7MOT2M55J",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50636 (RecordingGatewayInService)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Recording gateway status changed from out-of-service to in-service.\nExplanation: Gateway status changed from out-of-service to in-service.\nRecommended Action: None.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "R9X7FBDLWPXLIDPH1673014299050QQ40H9S2B9FM5M",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewayInService)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "I4JCLUQFQQI4KK8Y1673014299050E1DRR7MOT2M55J"
}
]
},
{"rule_definition_id": "DCCCCTA27SHQEX3D1673014299050H4I2NL50ALBQD9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "I4JCLUQFQQI4KK8Y1673014299050E1DRR7MOT2M55J"
}
]
}
]
},
{"correlation_rule_id": "MXT9J0JN40KEC7KM1673014299050UDJKF1RGBQFDKQ",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50637 (RecordingGatewaySessionFailed)",
"threat_score": 11,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Gateway recording session terminated unexpectedly.\nExplanation: Cause value indicates reason the recording session terminated unexpectedly.\nRecommended Action: Check gateway status.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "I15UNTRCTC9X5LND1673014299050SJXVAQTUTJ312G",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewaySessionFailed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MXT9J0JN40KEC7KM1673014299050UDJKF1RGBQFDKQ"
}
]
},
{"rule_definition_id": "T9UDYMXXP2C40YCH167301429905019OC9NSWEXKTXM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MXT9J0JN40KEC7KM1673014299050UDJKF1RGBQFDKQ"
}
]
}
]
},
{"correlation_rule_id": "UJ4XR236UDKJW1AT1673014299050C8XWMPR31301A9",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50638 (RecordingCallSetupFail)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Recording call setup failed. There will be no recording.\nExplanation: Recording session setup failed.\nRecommended Action: Determine which recording media resources are eligible to record the call based on the call flow (Phone, Gateway, or Both). Verify configuration of all eligible recording media resource (Phone, Gateway, or Both). If Cluster ID is displayed under AlarmValue, check SIP trunk configuration and gateway registration on other cluster.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "MDIXLV6Q3MUB10J21673014299050LFNEAHGAO5E3R2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingCallSetupFail)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "UJ4XR236UDKJW1AT1673014299050C8XWMPR31301A9"
}
]
},
{"rule_definition_id": "NDMSOOVUF2HWLMCH1673014299050C9WKBTKFB6U7X9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "UJ4XR236UDKJW1AT1673014299050C8XWMPR31301A9"
}
]
}
]
},
{"correlation_rule_id": "CGPQKESH7UMUJ1XF1673014299050ORB5QI8IK0WYU2",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50639 (RecordingResourcesNotAvailable)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Recording media resources not available (Phone or Gateway, or Both).\nExplanation: Phone and/or Gateway resources not available to record call.\nRecommended Action: Determine which recording media resources are eligible to record the call based on the call flow (Phone, Gateway, or Both). Verify configuration of all eligible recording media resources (Phone, Gateway, or Both).",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "H48XMD9DN2EWS79416730142990505RXB4D2LCSLYRM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingResourcesNotAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CGPQKESH7UMUJ1XF1673014299050ORB5QI8IK0WYU2"
}
]
},
{"rule_definition_id": "KBH14F80CGKPFEK81673014299050LK22E4AOVJEQG9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CGPQKESH7UMUJ1XF1673014299050ORB5QI8IK0WYU2"
}
]
}
]
},
{"correlation_rule_id": "D9L856OY32XB6JM91673014299050N3Y067LG4080CI",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50640 (RecordingInvalidCallState)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Invalid Call State; internal error.\nExplanation: Recording session setup failed.\nRecommended Action: Determine which recording media resources are eligible to record the call based on the call flow (Phone, Gateway, or Both). Verify configuration of all eligible recording media resource (Phone, Gateway, or Both). If Cluster ID is displayed under AlarmValue, check SIP trunk configuration and gateway registration on other cluster.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "CQ4KJUT21FQ149QG167301429905044FG256SKXNGIA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingInvalidCallState)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "D9L856OY32XB6JM91673014299050N3Y067LG4080CI"
}
]
},
{"rule_definition_id": "TEDAN3GX8BFVXE5R1673014299050EXP7RX3E5L9FA7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "D9L856OY32XB6JM91673014299050N3Y067LG4080CI"
}
]
}
]
},
{"correlation_rule_id": "O3K2KRJ77BPTS9AC1673014299050L3BVL1MDBGMM97",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50641 (RecordingAlreadyInProgress)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Recording session already in progress.\nExplanation: Recording session setup failed.\nRecommended Action: Determine which recording media resources are eligible to record the call based on the call flow (Phone, Gateway, or Both). Verify configuration of all eligible recording media resource (Phone, Gateway, or Both). If Cluster ID is displayed under AlarmValue, check SIP trunk configuration and gateway registration on other cluster.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "ARUWQK0KQULXS6E51673014299050J9G1FTNP3GT2AW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingAlreadyInProgress)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "O3K2KRJ77BPTS9AC1673014299050L3BVL1MDBGMM97"
}
]
},
{"rule_definition_id": "J8JLLKPQAEGSNWVX1673014299050B81OS2W9FBUUPR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "O3K2KRJ77BPTS9AC1673014299050L3BVL1MDBGMM97"
}
]
}
]
},
{"correlation_rule_id": "JSHQYO69MY6RYMAF16730142990503EYLNEUIDJPY5L",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50642 (RecordingSessionTerminatedUnexpectedly)",
"threat_score": 31,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Recording session is terminated unexpectedly.\nExplanation: Recording session setup failed.\nRecommended Action: Check SIP Trunk connected to recording server. Check recording server status. Verify call flow is supported.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "DC0F7TJ0MJEJSD3R1673014299050EXXH06UG2GCSV3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingSessionTerminatedUnexpectedly)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JSHQYO69MY6RYMAF16730142990503EYLNEUIDJPY5L"
}
]
},
{"rule_definition_id": "FGDHF9SVR7DUW5HH1673014299050D5RRCDT3DGKXJJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JSHQYO69MY6RYMAF16730142990503EYLNEUIDJPY5L"
}
]
}
]
},
{"correlation_rule_id": "UFRKTXSA78GOVYIX1673014299050OIEXHHDEGB7PQ1",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50643 (ILSDuplicateURI)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Duplicate URI Found in ILS network.\nExplanation: A duplicate URI has been found in this ILS Network.\nRecommended Action: Check if there are duplicate URI entries learned from remote ILS clusters. Determine which Cisco Unified Communications Manager cluster needs to be changed so that there is no duplicate URI. Reconfigure the remote serves to ensure the URIs configured are unique within a ILS network.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "PD4PC9XLXEBH9VGU1673014299050P3OD6VVJK5NOWT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ILSDuplicateURI)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "UFRKTXSA78GOVYIX1673014299050OIEXHHDEGB7PQ1"
}
]
},
{"rule_definition_id": "L4PV7X7GUB3A49851673014299050HF7YYLP08ELARY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "UFRKTXSA78GOVYIX1673014299050OIEXHHDEGB7PQ1"
}
]
}
]
},
{"correlation_rule_id": "JYN9NFQW5OR7TGFS1673014299050JVF6F44PUU4970",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50644 (CallingNumberNotConfiguredOnCallingDevice)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "A call was attempted from a number not configured on this SIP phone.\nExplanation: A call was attempted from a calling number that is not configured on the SIP device. The incoming Calling number did not match any of the configured lines on the device. For security reasons Communications Manager refused the call.\nRecommended Action: Validate that the IP address from which the call was made matches the current IP address of the device. Reset the device and verify it is able to obtain the correct configuration file from TFTP. Check for a mismatched CTL or ITL file which can prevent the device from accepting the configuration file provided by the TFTP server. This may also be indicative of a security issue in progress; proper investigation is highly recommended.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "PDH6IU36MBWIN8GU1673014299050B2OEP1SQRI0E7C",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallingNumberNotConfiguredOnCallingDevice)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JYN9NFQW5OR7TGFS1673014299050JVF6F44PUU4970"
}
]
},
{"rule_definition_id": "RAMOHQ802PSWH4CG1673014299050WRSWD8CCCN0RDF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JYN9NFQW5OR7TGFS1673014299050JVF6F44PUU4970"
}
]
}
]
},
{"correlation_rule_id": "MLWPQ3ERH9YJ5LGF16730142990509JLXCCYJACMCL1",
"crtype_name": "Simple",
"craction_name": "Track_Respond",
"name": "Alarm ID: 50645 (CallingLineNumberInconsistenciesCorrected)",
"threat_score": 0,
"threshold": 1,
"window": 60,
"status": 1,
"inherit": 1,
"use_unique_count": 0,
"halt_processing_on_match": 0,
"search_filter": "*",
"description": "Inconsistent line numbers found in received SIP headers were corrected.\nExplanation: The system received SIP headers containing one or more line numbers not configured on this device. The received SIP headers also contain at least one valid line number configured on this device. All calling number information was corrected to be a valid line number before proceeding with call processing.\nRecommended Action: Validate that the IP address from which the call was made matches the current IP address of the device. Please investigate that the endpoint is behaving as expected. For Cisco devices, reset the device and verify it is able to obtain the correct configuration file from TFTP; if the behavior persists, engage Cisco TAC as necessary. 3rd party devices may trigger this Informational alarm if they do not send calling party information in the format expected by Communications Manager. This may also be indicative of a security issue in progress; proper investigation is highly recommended.",
"policy_modules": [{"policy_module_id": "R4MWWCKH606WH8DL16730142990468XG3QBWUSFCSF3"
}
],
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 0,
"response_methods": [{"response_method_id": "MB8BL03FC9K7I0WY165057974848943QCF9MIEGJQGC"
},
{"response_method_id": "GP6OOYBOE7YQU10P1650579748489TI80F8XHU6UGSX"
},
{"response_method_id": "X15IFU9E16KBVS5S16505797484899SNHL2D18WBH3T"
}
],
"alert": false
}
],
"rule_definitions": [{"rule_definition_id": "KK20Y49PLTKTRGPI1673014299050KFV21PFKCI3NTX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallingLineNumberInconsistenciesCorrected)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MLWPQ3ERH9YJ5LGF16730142990509JLXCCYJACMCL1"
}
]
},
{"rule_definition_id": "MW0XB16WCEIN03VV1673014299050OXW86JS0SFGPI8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MLWPQ3ERH9YJ5LGF16730142990509JLXCCYJACMCL1"
}
]
}
]
}
]
}
]
}

/api/v2 > asset_groups

GET All Asset Groups

header Parameters

x-lxt-api-token

string

Example: {{x-lxt-kapapi-id}}

Responses

Insert TestGroup

header Parameters

x-lxt-api-token	string Example: {{x-lxt-kapapi-id}}
Content-Type	string Example: application/json

Request Body schema: application/json

object

Responses

Request samples

Payload

Content type

application/json

{"name": "TestGroup",
"assets": [{"asset_id": "",
"name": "New Asset Inside TestGroup",
"ipaddress": "10.13.37.172",
"hostname": "TestAsset",
"customer": "",
"last_method": "",
"last_byte_time": 0,
"did": "Unknown",
"mac_address": "Unknown",
"address": "",
"version": "Unknown",
"manufacturer": "LayerX Technologies",
"timezone": "UTC",
"description": "Local Arbitrator Platform",
"model": "Unknown",
"asset_groups": [ ],
"assets": [ ],
"profiles": [ ]
}
]
}

Delete Asset Group

header Parameters

x-lxt-api-token

string

Example: {{x-lxt-kapapi-id}}

Responses

/api/v2 > lxt_updates

/api/v2/lxt_updates

query Parameters

id	integer Example: id=18

header Parameters

x-lxt-api-token	string Example: {{x-lxt-kapapi-id}}
Content-Type	string Example: application/x-www-form-urlencoded

Request Body schema: application/x-www-form-urlencoded

id	integer
delay	integer
url	string

Responses

/api/v2/lxt_updates?id=18

header Parameters

x-lxt-api-token	string Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhbmFseXRpeCIsImlhdCI6MTU4MTUyNTc0NCwiZXhwIjoxNTgxNjEyMTQ0LCJ1c2VySWQiOiIwNjZlYmYzNjY1MGVhOGQ1MTcyMDJkNjU3NTcyNzlmODQ5ODc3YTlmMDYxY2I0YjUwMDA0OWE1OTgzNzQ4MDg0In0.n3VMnJcofzzj7W_pxaCsDsMsGBBSvmal1OvmapcB65g36HaKKonAs15eR12BaEUOhtLH_uo_OllEL-bMJgHZHJJ1EcWplMOrqleVYQ6hadEc2EJX_ynOHletDcZwG3OXdywsEyztP2K0FnEkVuuEGTOspPVQpsP_Ujt25skiBPE
Content-Type	string Example: application/x-www-form-urlencoded

Responses

/api/v2/configs/asset_groups

header Parameters

x-lxt-api-token

string

Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhbmFseXRpeCIsImlhdCI6MTU5ODk4Njc5NiwiZXhwIjoxNTk5MDczMTk2LCJ1c2VySWQiOiIwNjZlYmYzNjY1MGVhOGQ1MTcyMDJkNjU3NTcyNzlmODQ5ODc3YTlmMDYxY2I0YjUwMDA0OWE1OTgzNzQ4MDg0In0.Ss4Kfx8EYOfQd0TsXXyKiYAfkBaNoDLyC_eQgypKsw3Kh82ViRIHgrnL03o-SMYERnd7-EgcwKeiPBrYzvpJU5fWbps7gW2CtFBRsnZC9GG_5wZ2oT_IzsGgnYUZwKIa5Y_v3o23CJOxzFT5HZSmMdRPCVNFVDF_qk5OlpiSy0s

Responses

/api/v2 > probe_groups

Get Probes

Authorizations:

basicAuth

header Parameters

x-lxt-api-token

string

Example: {{x-lxt-kapapi-id}}

Responses

/api/v2 > response_procedures

Get Response Procedures

Authorizations:

basicAuth

header Parameters

x-lxt-api-token

string

Example: {{x-lxt-kapapi-id}}

Responses

Response samples

Content type

application/json

{"status": 200,
"message": "Success",
"data": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM",
"name": "Default IRP",
"description": null,
"locked": 1,
"disable_on_failover": 1,
"correlation_rules": [{"correlation_rule_id": "LMNOS5E3L062HVCS1565014967837WOL95BAY1NVL4F"
},
{"correlation_rule_id": "QTPEC1B8U8GQ0XYY1673014299046K5TLVPC713O4VR"
},
{"correlation_rule_id": "X7M92VON9CP83JUJ1673014299047M1P6O4GGRA8A93"
},
{"correlation_rule_id": "FGF9VUQD08DGQL6V1673014299047NXSFJ2Y4UHBPOR"
},
{"correlation_rule_id": "MW9YKUVYX974EOIP1673014299047K98CSCRJY76WHI"
},
{"correlation_rule_id": "XNPKIVBI32YV5MYS1673014299047POLPTY7XJ49PWM"
},
{"correlation_rule_id": "GKAH83L54FD83JNV16730142990476EC9K6DF93M4FW"
},
{"correlation_rule_id": "BM97F3SR9F7SM1JC16730142990478K7VE733D4CHUR"
},
{"correlation_rule_id": "WRY5HCFHI3S61NGL1673014299047TGF7KLRJUB3OW6"
},
{"correlation_rule_id": "EC5JEDHWO4FSKMY31673014299047UCHM937JH0FW18"
},
{"correlation_rule_id": "F7D3OMUNIT3J3OMN16730142990475EKV440F4AQ2F7"
},
{"correlation_rule_id": "GDE4F3BC6LHJ47DT167301429904700SWNAH6511EC6"
},
{"correlation_rule_id": "T3QHYSHN1WVPRVE51673014299047AOCQ6JVY17YKTD"
},
{"correlation_rule_id": "AW3VRXAW7PS0PUCK16730142990470NCFPRX9R11OPQ"
},
{"correlation_rule_id": "LUUCU0S11YYWE2SP1673014299047HTVBBPHLWUCS0X"
},
{"correlation_rule_id": "V8OWAPQ6AFIBE2R516730142990472PYW3935RSOLYU"
},
{"correlation_rule_id": "F7NSGG1KUUQAJJJ01673014299047B1JGXH8968ATBY"
},
{"correlation_rule_id": "YJ2PIO9SC9IXDS1S16730142990474VCRCPLV8MSMOD"
},
{"correlation_rule_id": "O3PL7FQ2AANGP7V11673014299047K9Y7DNI537YNX0"
},
{"correlation_rule_id": "YPKPSRLHQROK4CWT1673014299047Y7004W51GM77O8"
},
{"correlation_rule_id": "FBAPOER4MGFS48EA1673014299048UO3VU9E8HH3ARE"
},
{"correlation_rule_id": "R0BGN6FK81OPLY2B16730142990489HK0HUID4L7FVD"
},
{"correlation_rule_id": "PH51C0KC0CB3GVO91673014299048F2DVE7E578XOAT"
},
{"correlation_rule_id": "F7N93UCQCC52MWXS16730142990485P615XJ6DPLU5X"
},
{"correlation_rule_id": "XOGMOW11Q5OYRSYX1673014299048BOOY3BOHQ4W80P"
},
{"correlation_rule_id": "P3NKR4RWB4JKXM141673014299048FHXDYH43VG4IC0"
},
{"correlation_rule_id": "FL82HMVUDGJX8JGY16730142990489LPQ3MG59F8PHD"
},
{"correlation_rule_id": "FWW5NUCFIXDVGG1D1673014299048IFF5LGKP6XJT77"
},
{"correlation_rule_id": "J30IA4NNYPOYND3W16730142990486N6BG77WTKGLJR"
},
{"correlation_rule_id": "CBAICTWK9P4POQIP1673014299048RMIAUFICY719F2"
},
{"correlation_rule_id": "VCYEJAM21QWWG51W1673014299048S0QHSTATQ9A4QC"
},
{"correlation_rule_id": "SLIBAGA8UQ6MH4CE1673014299048PX968FMK6G55WL"
},
{"correlation_rule_id": "P1QEK03QHVP45DPI16730142990487F7S7SUYR05WSI"
},
{"correlation_rule_id": "R5JENBIIFM7GKGQM1673014299048BVKFX3TJ0IHET0"
},
{"correlation_rule_id": "GLHTWPYIM2UDV4LR1673014299048TOQ2O4S86OSRWR"
},
{"correlation_rule_id": "PXVI34C9IU48BHDA1673014299048V69RNA6PIB6G24"
},
{"correlation_rule_id": "QY56VNBYJS3X4L911673014299048FTSG76B2EQLL4M"
},
{"correlation_rule_id": "KSBQPWTRIC4ONIMW1673014299048G4CLCUD2AO5KIC"
},
{"correlation_rule_id": "QW3QTHK4C5CMUFGX1673014299048YTFTDDF6PX0GGQ"
},
{"correlation_rule_id": "GEFVN0H58T5OY0HL16730142990482KEJYGIL8HFF0Q"
},
{"correlation_rule_id": "UKS6IOSP3XRKIPTK1673014299048176OWL7WIRAF6E"
},
{"correlation_rule_id": "ND75Y7SHRRG0AI9U1673014299048W9TENEL20EUH7W"
},
{"correlation_rule_id": "VXCBHUE1EMEE0A3D167301429904807MQJNUJSAGWCY"
},
{"correlation_rule_id": "IYDAKKXBATYNL6IB1673014299048LA7N861EEEBAED"
},
{"correlation_rule_id": "CQRWNU6FEIUFS0IM1673014299048HTCNMWV7OGCAL5"
},
{"correlation_rule_id": "U45OWP7LB92BVFYU1673014299048W5LSFAIV71AG9B"
},
{"correlation_rule_id": "K3RCH55VKYXKD8261673014299048JLHT4EDLO5WWEV"
},
{"correlation_rule_id": "C35KUWEVMT3T28CD1673014299048Q3QKOR80G0U1PP"
},
{"correlation_rule_id": "VTOYNYSQ73QR7UV816730142990489B9T7RLOSRXY81"
},
{"correlation_rule_id": "Y638LEG5M0JJRJH11673014299048M4DYPAX2DMV95Y"
},
{"correlation_rule_id": "CMJOAB1NRG3QXXRE167301429904803LM3OK65YA9F1"
},
{"correlation_rule_id": "IMCVJUYWGIRARLJC1673014299048ASR3HPBWOSDMTW"
},
{"correlation_rule_id": "CI4IFMVG07FUNM1X1673014299048XCOHJWPI3EP7EC"
},
{"correlation_rule_id": "Q5QEGD2W6DVW2ODI1673014299048S1ESKB9MONQXJJ"
},
{"correlation_rule_id": "QY76OTEUIBL2T9GN1673014299048VV11VAEAC8O878"
},
{"correlation_rule_id": "EKRNK68TLM93N6JP1673014299048KTT6BKGCXKS3X3"
},
{"correlation_rule_id": "S3KG084D1KFNK3CT16730142990486KS03LVC1CO0F4"
},
{"correlation_rule_id": "XX51VDXS4R0A3P571673014299049KF3ECU5AMVSIQC"
},
{"correlation_rule_id": "LY3XRE8MPTEPV7MC1673014299049L1P0VXINUJI555"
},
{"correlation_rule_id": "VF5A25LK6IHH9G2M1673014299049MSG1ERS5X19PWA"
},
{"correlation_rule_id": "WIT24L3MWIWMG2AU1673014299049EKOQI9KVCLE8SN"
},
{"correlation_rule_id": "NBVKFMT8WIFEYRT81673014299049953VCOWHG3LPC9"
},
{"correlation_rule_id": "EOOKI7Q12GMY2V9C1673014299049B77T7S2RJGN61C"
},
{"correlation_rule_id": "CM6ESG5ASICUGS8F1673014299049TUL6O24A2KGO3M"
},
{"correlation_rule_id": "ASPH1JIB1URE3TGI167301429904906HRWFLLB9TXLY"
},
{"correlation_rule_id": "WY8G63PMPMYJ9TDG16730142990497OYRQ3L6K5EES7"
},
{"correlation_rule_id": "H2AORH8UJ4V4JB391673014299049QNY7E0RI76849I"
},
{"correlation_rule_id": "XY1LO7TTRNA0RQ9R1673014299049VEXJNO7MEFQVR7"
},
{"correlation_rule_id": "TAFQ8NWVAWU0BFC31673014299049DRQ9DHQQ22WDJ3"
},
{"correlation_rule_id": "O1F4S4B2AGOP3OUC1673014299049ULR9QJ3HFTA157"
},
{"correlation_rule_id": "UPOK0K7IJHIN3VA31673014299049YOOE06D5IA2XLO"
},
{"correlation_rule_id": "AVGVLXC79UFD9DH516730142990492CYFX9F4UGVAO6"
},
{"correlation_rule_id": "EIFNRTUERT615GHS1673014299049P0HY5UB5SBPLF8"
},
{"correlation_rule_id": "AW0M4ULOHC3DKSY716730142990490FAJDB4PH68LGL"
},
{"correlation_rule_id": "HUBY1RTGO7TISDDS1673014299049ML1QQVQGY1D277"
},
{"correlation_rule_id": "IU11PJ84SSEEO4I8167301429904956X7K5CK5GMQTG"
},
{"correlation_rule_id": "QWYOQ9UFPJOC7Y3E16730142990499LTX2D5QX87EQN"
},
{"correlation_rule_id": "XTAY5RED8S990O2G1673014299049R3114SWGYK7HM7"
},
{"correlation_rule_id": "X9KYIP6B07S443F71673014299049R5QTEUXVPRM9EM"
},
{"correlation_rule_id": "IUS9KH1TRO3Q7QVG1673014299049LY7AILRVN8AVLY"
},
{"correlation_rule_id": "YKL7XMUOJO3TXNXA1673014299049W5UJ10GEC2K8XG"
},
{"correlation_rule_id": "LRWH4KCN643AKXVK1673014299049BL2HXBBWJTOJSC"
},
{"correlation_rule_id": "O7GJNPLTB21JNFXX1673014299049KMBRPI9CTL3FSH"
},
{"correlation_rule_id": "YYOAMHSF5YQ6WFSO1673014299049I4AY3GWYL7VXMI"
},
{"correlation_rule_id": "TCI8VJAWNMJ9NQNO1673014299049QAFLT80BQBX2E9"
},
{"correlation_rule_id": "Y3QTNO03UMLI1MC316730142990492T5ROO4TL0KLG3"
},
{"correlation_rule_id": "P9LSPNCW0AIO3H371673014299049RP3Y14L9AI7PHJ"
},
{"correlation_rule_id": "LD32X6ISW9A9HW8L167301429904983TW0FXRVYLBPA"
},
{"correlation_rule_id": "P8FDA5FQHCBXQWMM16730142990495J2RB2DI0Y7LKD"
},
{"correlation_rule_id": "G8S30J2FSCXX1QOQ16730142990490QM6KP6HUEAWU8"
},
{"correlation_rule_id": "ER9CXM4QYPM73JMF1673014299049U9KU72371O59LD"
},
{"correlation_rule_id": "LWNLBCUBI9OUE2591673014299049NWYB2SIS68SMUR"
},
{"correlation_rule_id": "H8VINT1LRD9I7UMS1673014299049EUY6CQT9SP6TGV"
},
{"correlation_rule_id": "GOXCM21G3SC2TS901673014299049Q0GEHFRX3TM77Q"
},
{"correlation_rule_id": "P1RWP97EHEEKS6EU16730142990494TEWIC2UNPBDNV"
},
{"correlation_rule_id": "GL6G7M5NTVQ73QDC1673014299049XXSCNH3HCPV54J"
},
{"correlation_rule_id": "L1XICXU8A7GXTM9V1673014299049U3WY763NJNGCSO"
},
{"correlation_rule_id": "TLG8ECX4HPEQ7N6O1673014299049QMAFAVARFBGSEI"
},
{"correlation_rule_id": "BE9A9GOHPQGW6WEF1673014299049O9D027JA27OSS7"
},
{"correlation_rule_id": "W5GJBKHPA5JFBVS31673014299049J3XHPX17S65HFT"
},
{"correlation_rule_id": "N5VJX1FEE96539SG1673014299050AKIV6H5IGEYI26"
},
{"correlation_rule_id": "B1WS3I0Y185QMG2216730142990506H79UEIVVT5OAL"
},
{"correlation_rule_id": "FUG7XVSPI6A1C32V1673014299050NU2WF77G8AWQOM"
},
{"correlation_rule_id": "JAK11MGUEDIV0Y8E1673014299050RC7PWO6TYK2SNK"
},
{"correlation_rule_id": "U8VFD9NFOL0RIEOO1673014299050BSSCW7W7U3IOIU"
},
{"correlation_rule_id": "XUAT7T6C5GEUMEBM1673014299050S37PAKNK39ILOQ"
},
{"correlation_rule_id": "CH6N387PNAS0R91B1673014299050LVFHA87TRUI6I1"
},
{"correlation_rule_id": "YMKJRLWGR5EUX5741673014299050N44NR7NJC1NK8L"
},
{"correlation_rule_id": "JHJS6G6JMV15CO2M1673014299050B6T06TALROWAJ1"
},
{"correlation_rule_id": "NKDPJS2KVO3WQS0A1673014299050GCLTSY5XD9D3XW"
},
{"correlation_rule_id": "STIJTYUJMF11YWCT16730142990508D4VYTJ9I74CPP"
},
{"correlation_rule_id": "WTCLK8FOH52CJM4F1673014299050ITD1VBYFOGEJ65"
},
{"correlation_rule_id": "HGRD12EMQDFQINVJ1673014299050FBHW38E8CTFMK9"
},
{"correlation_rule_id": "SCP2BJ8EB8YU567C167301429905027PRQRJBQ9IYHO"
},
{"correlation_rule_id": "X1WNT1V8XISI3TS91673014299050MP55M8KRCJTDSP"
},
{"correlation_rule_id": "NEYTB6YR8CSEILKM1673014299050XGF4TMJHF8VNQM"
},
{"correlation_rule_id": "JN0033I8RAB31E6P1673014299050HYJK5EPIXK0CC7"
},
{"correlation_rule_id": "OB56SFCEO155NTVX1673014299050Q2NXF2H8IOI6A4"
},
{"correlation_rule_id": "HXC4P3BHY9A4BP791673014299050XGECPFYJL08PUR"
},
{"correlation_rule_id": "K6KXHFTJLOB4SLYL1673014299050BDJG63EY6WJ2C7"
},
{"correlation_rule_id": "I6BVKYS1AFVSHAAC16730142990505KGLKA8AI30VJT"
},
{"correlation_rule_id": "RLM13RN0KRV7UJBS1673014299050TAACU5XP4NVTTS"
},
{"correlation_rule_id": "XSKQ6S0DIPRTI86U1673014299050NLBMJ0Y7WV8RCJ"
},
{"correlation_rule_id": "MT04I30ACQI29W841673014299050WWK9MUAMT4WX2Y"
},
{"correlation_rule_id": "DBNCPE8HRNRRLTUB1673014299050R3KDKSBMMX5W29"
},
{"correlation_rule_id": "V86WK3QVC225G80V16730142990507H29ELS88LRMOE"
},
{"correlation_rule_id": "SX0QRG81SP24WVAA1673014299050E132RDJXX21J51"
},
{"correlation_rule_id": "F3CQA6BYDJREVTET1673014299050I04FATK1CIE125"
},
{"correlation_rule_id": "GO168H1DVNUPAT5P16730142990503JIKWBOQ2CHJWA"
},
{"correlation_rule_id": "K8F0YS7SGB3AV2D21673014299050QXKHR0B3S0LL46"
},
{"correlation_rule_id": "WOOK6UGOCKE1GDUU1673014299050SIMJ0MLBFYSP8V"
},
{"correlation_rule_id": "DEJ5MNUJ9NUSYWF71673014299050Q7INMFBIDUXWYT"
},
{"correlation_rule_id": "NLC2XL9GMAP3PYPV1673014299050UF9B31HB3ND8EQ"
},
{"correlation_rule_id": "PJ3LXJOJ4HF9C29O1673014299050MP2RR7WKJGABDE"
},
{"correlation_rule_id": "KR9P7TLS2MEMJ3GO1673014299050A4N8FW8141UH3A"
},
{"correlation_rule_id": "WERSTH6NC0EEYFWB1673014299050UDGMVANTCOK82F"
},
{"correlation_rule_id": "FBLG1F61ENU3MJT01673014299050T90O0OE0AJCII0"
},
{"correlation_rule_id": "I4JCLUQFQQI4KK8Y1673014299050E1DRR7MOT2M55J"
},
{"correlation_rule_id": "MXT9J0JN40KEC7KM1673014299050UDJKF1RGBQFDKQ"
},
{"correlation_rule_id": "UJ4XR236UDKJW1AT1673014299050C8XWMPR31301A9"
},
{"correlation_rule_id": "CGPQKESH7UMUJ1XF1673014299050ORB5QI8IK0WYU2"
},
{"correlation_rule_id": "D9L856OY32XB6JM91673014299050N3Y067LG4080CI"
},
{"correlation_rule_id": "O3K2KRJ77BPTS9AC1673014299050L3BVL1MDBGMM97"
},
{"correlation_rule_id": "JSHQYO69MY6RYMAF16730142990503EYLNEUIDJPY5L"
},
{"correlation_rule_id": "UFRKTXSA78GOVYIX1673014299050OIEXHHDEGB7PQ1"
},
{"correlation_rule_id": "JYN9NFQW5OR7TGFS1673014299050JVF6F44PUU4970"
},
{"correlation_rule_id": "MLWPQ3ERH9YJ5LGF16730142990509JLXCCYJACMCL1"
},
{"correlation_rule_id": "PWWIW1OYNXH5OOV516730139740667UBU6AJXIDX6P5"
},
{"correlation_rule_id": "MY2X859VR22GNOT81630697064451O9FGS3N8JPP28X"
},
{"correlation_rule_id": "L59R7FDQWNP0LTJH16306973946643BIDMN6QCMNMGW"
},
{"correlation_rule_id": "DEV8KHX8M3NT1W4J1553090841127Q2IIHOMRWA52X3"
},
{"correlation_rule_id": "RN4NMGPCH2OUCMIP1553093329119954H6RHPV9RJWM"
},
{"correlation_rule_id": "HCHU6FWIVSVWMPFC1553096487511HCEJW5J0E0U75L"
},
{"correlation_rule_id": "X4R2XVXUBVEP88O415530965641123HQ7959OLMSATL"
},
{"correlation_rule_id": "S5VRRQR13B7VUL0D1553096612734IT5XKEG94KTQYR"
},
{"correlation_rule_id": "C7HOCBMDN65DDYG71553096647869N8I791BWLATL9S"
},
{"correlation_rule_id": "SL5AHFDQURGP3G1D1553096699989N5UDVT79A1NN1A"
},
{"correlation_rule_id": "I721MO4S27FY295L1553096746091SSPW6TO8921TIK"
},
{"correlation_rule_id": "Y8F8LS2DFIDH9VQC155309678482550SQXNIC462G66"
},
{"correlation_rule_id": "CVU9N3W923NTF9J61553096951796WRORO9UFEVPT5F"
},
{"correlation_rule_id": "K160QEY8YLTO3W2X1553103745805ETVT2V47TROVF4"
},
{"correlation_rule_id": "RJ74LN78UBAJQUVS15531038506449E56E8FYQYCUBE"
},
{"correlation_rule_id": "MG8L0R2GQVQB829O1553103894270PA5PWYNQXL5NPH"
},
{"correlation_rule_id": "FW2IV29XRW9RV34V1553103942173FFNX2RGFG9HCR2"
},
{"correlation_rule_id": "OJ3GSPY6JAD2DKTV155310664660944SQWMNH3C1P1E"
},
{"correlation_rule_id": "YI5WX28DT7RICKET1553106687040WQ5JNUFI81CVUO"
},
{"correlation_rule_id": "F3796UFL7K20XBHT15531067100353RV0FE6IN07A9Y"
},
{"correlation_rule_id": "FC6V6T9WFIHTJUUP1553106788707MOCDT7S4CFRQCH"
},
{"correlation_rule_id": "GLVLCGK05LP0GTHM15531069630581CSYV6D0J74927"
},
{"correlation_rule_id": "BPAFYIHDXVHRJ1OB1553107033944P8G3UJTDIJ0V2V"
},
{"correlation_rule_id": "WSUQQ4PPES7W247D1553107060865D9EN1R7V8XVMLR"
},
{"correlation_rule_id": "NVVAKBE7PDNU5WKP155310713781517KPKKHMGPK8OT"
},
{"correlation_rule_id": "S86E1NGS89KKG36W1553107288812O3FMMAY2RWQ5BM"
},
{"correlation_rule_id": "EVSX48HCDRMXUEXO1553107341225OYHKY8E984FUN7"
},
{"correlation_rule_id": "SKIN4RUGPE1NUMEW1553107387857V7N3J0CEIAWEQY"
},
{"correlation_rule_id": "WT28PSKM0F37J3KI1553107435061D05E25PSUB3RSK"
},
{"correlation_rule_id": "M5KPFA0LPB109AD61553107493156I1S5KF2UIBDYY7"
},
{"correlation_rule_id": "PO6P2IVHDYMX8KAC1553107527480H1R00JL52AC4VL"
},
{"correlation_rule_id": "X1127YDK36797HY01583244939857N520IHQB0FRT4A"
},
{"correlation_rule_id": "PO2855AC5A0KLKV41583244992136UN08E23MY42XE0"
},
{"correlation_rule_id": "HJWLA72FHP86IIFG1540308595425K4M5K78AFUPQSP"
},
{"correlation_rule_id": "X0VM2YBOPTCYD5081629742897595AU9LE8PQH4JIEJ"
},
{"correlation_rule_id": "C74M32KAUK6GDDRC1662567563007ITIOC68KJV7LAL"
}
],
"response_methods": [{"response_method_id": "JCJRJVBCSX877OMQ1694403103626YGFSD93434WLLL",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM"
}
],
"details": {"type": "ALERT"
}
},
{"response_method_id": "KAIMIYUEM8K5GH9Q1694403103627O066WGFW90GJ2T",
"name": "LinkIPToAlert",
"confirm": 0,
"response_procedures": [{"response_procedure_id": "LXTXB3CCNA7Z8KIX1560539896UBI02SZW142XDM1C0TRV28L2FD7F6NP6I2SP2HE0I9KC0NM"
}
],
"details": {"description": "LinkIPToAlert",
"delay": 0,
"confirmation_timeout": 30,
"strikes": 3,
"controls": [{"control_id": "B22D6L5R50Q8T8KC1694403055280S8PW1NK9SAM2TF",
"name": "LinkIPToAlert",
"command": "LinkIPToAlert",
"locked": 0,
"response_methods": [{"response_method_id": "UO7HGP5415DRTE4216746575660993NRN4QEO5MQPKX"
}
]
}
],
"credentials": [ ],
"type": "CONTROL"
}
}
],
"alert": false
},
{"response_procedure_id": "DWMY6R1Q58SDOMHY16505797606488GJNFPSPUXRDC2",
"name": "New Default",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"correlation_rules": [{"correlation_rule_id": "R15Q8AIAVTNUO40M16493569434296KC2TWA2I72P92"
}
],
"response_methods": [{"response_method_id": "MF7X5FWWNYR0YWBR1686706462732QVTWE0SGX897O2",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "DWMY6R1Q58SDOMHY16505797606488GJNFPSPUXRDC2"
}
],
"details": {"type": "ALERT"
}
}
],
"alert": false
},
{"response_procedure_id": "KYSBBBT0EILF9KGC1568076761504OYG4M7AALT2KH0",
"name": "Touy IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"correlation_rules": [{"correlation_rule_id": "G28O2VIG6RTC70SA1565016061313SJLCCJ9WV4JRR0"
},
{"correlation_rule_id": "LO3M0P8S7OCWKEJ516195336577592NDMSGY05VMPJJ"
}
],
"response_methods": [{"response_method_id": "NN49G7874H9NFUAU1668790770212ANM1PU5WSNDCU9",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "KYSBBBT0EILF9KGC1568076761504OYG4M7AALT2KH0"
}
],
"details": {"type": "ALERT"
}
},
{"response_method_id": "S0639BPMPQ068HWV1668790770212YNWW66A454EOXR",
"name": "ReporterPush",
"confirm": 0,
"response_procedures": [{"response_procedure_id": "KYSBBBT0EILF9KGC1568076761504OYG4M7AALT2KH0"
}
],
"details": {"controls": [ ],
"credentials": [ ],
"type": "CONTROL"
}
}
],
"alert": false
},
{"response_procedure_id": "HJ3XIJSRA2IGWTN31674657527752OOEQD1ABL379LF",
"name": "Touy IRP with email",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"correlation_rules": [ ],
"response_methods": [{"response_method_id": "UO7HGP5415DRTE4216746575660993NRN4QEO5MQPKX",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "HJ3XIJSRA2IGWTN31674657527752OOEQD1ABL379LF"
}
],
"details": {"type": "ALERT"
}
},
{"response_method_id": "BMDYAHC9PK8AE7MT167465756609991FPUXW1N2V57K",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "HJ3XIJSRA2IGWTN31674657527752OOEQD1ABL379LF"
}
],
"details": {"type": "E-MAIL"
}
}
],
"alert": false
},
{"response_procedure_id": "BNPDRA1H7JUBUIT6166879077450178GAGJ975DKS7X",
"name": "Touy IRP with testcontrol",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"correlation_rules": [{"correlation_rule_id": "AK8UDUSTHP8GD9OK16698185052255UH6PCT7L1CN66"
}
],
"response_methods": [{"response_method_id": "Y3SXD63A9CW9A9521690561549630XDWPL0QPS2CHRI",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "BNPDRA1H7JUBUIT6166879077450178GAGJ975DKS7X"
}
],
"details": {"type": "ALERT"
}
},
{"response_method_id": "C9IP81IVLUMKONHI1690561549631I05ECEBMD0VNYV",
"name": "testcontrol",
"confirm": 0,
"response_procedures": [{"response_procedure_id": "BNPDRA1H7JUBUIT6166879077450178GAGJ975DKS7X"
}
],
"details": {"description": "testcontrol",
"delay": 0,
"confirmation_timeout": 30,
"strikes": 3,
"controls": [{"control_id": "JULVVGINPRFVO88F1690561496648YHX9VAEMNPP4X8",
"name": "testcontrol",
"command": "labs/testcontrol.sh",
"locked": 0,
"response_methods": [{"response_method_id": "S0639BPMPQ068HWV1668790770212YNWW66A454EOXR"
}
]
}
],
"credentials": [ ],
"type": "CONTROL"
}
}
],
"alert": false
},
{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E",
"name": "Touy Non Event IRP",
"description": null,
"locked": 0,
"disable_on_failover": 0,
"correlation_rules": [{"correlation_rule_id": "O2YPM3RN87OKJ7B21565016035690OA1CG5K2S0XVOE"
},
{"correlation_rule_id": "YR9LOJVGKQ04BWF515650160859689QTWDTJN6OT5P9"
},
{"correlation_rule_id": "HQMHWC4ANLYE648916389373275742TG1G8KLSRAS40"
},
{"correlation_rule_id": "NY4RGSYS97NOXRM51638937342717FSXEM3VBDSPNH9"
},
{"correlation_rule_id": "LOS9YIY6ROGRHPE61639173382557KG1OSDYQP4E6YC"
},
{"correlation_rule_id": "LF9RFYOQ58UXFCHK16391735050014NHMJDG82OR3QQ"
}
],
"response_methods": [{"response_method_id": "EBTQA5LN39Q0CVPR1634051349646L3SSV665A8FDTX",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E"
}
],
"details": {"type": "ALERT"
}
},
{"response_method_id": "S5VLNG7W7TCJFL9716340513496466J1QIGDNYB5QWG",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E"
}
],
"details": {"type": "ALERT"
}
},
{"response_method_id": "GSNDY2U60CT300PT1634051349646A1O86HFJ7DK07Y",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E"
}
],
"details": {"destination": "MANC",
"as_event": 0,
"type": "FORWARD"
}
},
{"response_method_id": "IEKF7329QPE3RSNU1634051349646CXMS0XVMFRAP4K",
"name": null,
"confirm": 0,
"response_procedures": [{"response_procedure_id": "I4VYGS7GAB0N5HGQ1584480056216JBPPXKBQYNE43E"
}
],
"details": {"destination": "MANC",
"as_event": 0,
"type": "FORWARD"
}
}
],
"alert": false
}
]
}

/api/v2 > rule_definitions

Get Rule Definitions

Authorizations:

basicAuth

header Parameters

x-lxt-api-token

string

Example: {{x-lxt-kapapi-id}}

Responses

Response samples

Content type

application/json

{"status": 200,
"message": "Success",
"data": [{"rule_definition_id": "MS840MLINJXVH2GQ1565015986461C0AKQM368DXD0X",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(critical)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "LMNOS5E3L062HVCS1565014967837WOL95BAY1NVL4F"
}
]
},
{"rule_definition_id": "Y24R170WCPHSOLPL157920451125747RL7E1NPMR6OA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "LMNOS5E3L062HVCS1565014967837WOL95BAY1NVL4F"
}
]
},
{"rule_definition_id": "T336CMLP5ORJWNI81565016035691I180FLP6N8Q3V3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "O2YPM3RN87OKJ7B21565016035690OA1CG5K2S0XVOE"
}
]
},
{"rule_definition_id": "LQNCESCS1QRC0DXG1579204582956TO2PSV876THW6J",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "O2YPM3RN87OKJ7B21565016035690OA1CG5K2S0XVOE"
}
]
},
{"rule_definition_id": "R58DRCNUEYL8Y6VX1565016061314I7RCXXOIED05CF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(minor)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "G28O2VIG6RTC70SA1565016061313SJLCCJ9WV4JRR0"
}
]
},
{"rule_definition_id": "DQHYF6TTREM9OFBS1579204552818EGDHFQX2M3D1UB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "G28O2VIG6RTC70SA1565016061313SJLCCJ9WV4JRR0"
}
]
},
{"rule_definition_id": "N0L5SPG8J1QBFMJ915650160859680263GG5RXURHBY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(informational)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "YR9LOJVGKQ04BWF515650160859689QTWDTJN6OT5P9"
}
]
},
{"rule_definition_id": "U87FVAGRYYSWN6MT157920456764593QJ73MUWO4UVC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "YR9LOJVGKQ04BWF515650160859689QTWDTJN6OT5P9"
}
]
},
{"rule_definition_id": "KHDHWSVCTKHX7S7S1619533657759RMQP7U7MKEMCG4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(critical)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "LO3M0P8S7OCWKEJ516195336577592NDMSGY05VMPJJ"
}
]
},
{"rule_definition_id": "Q96JKIR8TWW9TQTD16195336577606R1RWHU3Q3NQWI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):)",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "LO3M0P8S7OCWKEJ516195336577592NDMSGY05VMPJJ"
}
]
},
{"rule_definition_id": "COO0JFWUN7G6ME0G1638937327574UJQQOLGNLWX1TL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "HQMHWC4ANLYE648916389373275742TG1G8KLSRAS40"
}
]
},
{"rule_definition_id": "FVQO4UH5LRSFUXT51638937327575N9P45HPVI1W0JA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "HQMHWC4ANLYE648916389373275742TG1G8KLSRAS40"
}
]
},
{"rule_definition_id": "NV2X6W4YKWHMFF9D163893734271802QUS8ONHF6LA7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "NY4RGSYS97NOXRM51638937342717FSXEM3VBDSPNH9"
}
]
},
{"rule_definition_id": "G9476UFBKHPU3XDH16389373427189RAXEFHIE7DIH8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):)",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "NY4RGSYS97NOXRM51638937342717FSXEM3VBDSPNH9"
}
]
},
{"rule_definition_id": "JEBTANKVCVETNQES1639173382558HAUGM7DM5I44RR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "LOS9YIY6ROGRHPE61639173382557KG1OSDYQP4E6YC"
}
]
},
{"rule_definition_id": "DNPDUY3642J2ODMF1639173382558BNEESGUYMBMTO7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):)",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "LOS9YIY6ROGRHPE61639173382557KG1OSDYQP4E6YC"
}
]
},
{"rule_definition_id": "ADSTPOXJI60FTSM01639173505001O96YGUVDDT89H5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:.*(major)\\salert.*",
"description": "Severity",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "LF9RFYOQ58UXFCHK16391735050014NHMJDG82OR3QQ"
}
]
},
{"rule_definition_id": "AECLYHTAII1SX7SW1639173505001K1XPF7SESPBMAR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "Ttest:\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b):",
"description": "Asset IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "LF9RFYOQ58UXFCHK16391735050014NHMJDG82OR3QQ"
}
]
},
{"rule_definition_id": "I2FBYBBSN1URA39T1673014299046XGDBDRNSPCMOCE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallManagerFailure)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QTPEC1B8U8GQ0XYY1673014299046K5TLVPC713O4VR"
}
]
},
{"rule_definition_id": "YGSL7JM23R0STRRP1673014299047O2WRLCDFCLUN83",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QTPEC1B8U8GQ0XYY1673014299046K5TLVPC713O4VR"
}
]
},
{"rule_definition_id": "RSCI6B6L43R0NGE8167301429904710LOHK0IBHKBWJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SDLLinkISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X7M92VON9CP83JUJ1673014299047M1P6O4GGRA8A93"
}
]
},
{"rule_definition_id": "RUAPXMCKCSFKO4JY1673014299047HB9XJGG23P9FSL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "X7M92VON9CP83JUJ1673014299047M1P6O4GGRA8A93"
}
]
},
{"rule_definition_id": "XAES92GCVUQXHSNK167301429904747RHLK6HYSY22U",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SDLLinkOOS)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FGF9VUQD08DGQL6V1673014299047NXSFJ2Y4UHBPOR"
}
]
},
{"rule_definition_id": "FR7O3S7U0ABWSHNT1673014299047DWWY7B9AAXIN1V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FGF9VUQD08DGQL6V1673014299047NXSFJ2Y4UHBPOR"
}
]
},
{"rule_definition_id": "S26SSLSCBTGED7BB1673014299047DSW7L93VWL1X93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CMVersionMismatch)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MW9YKUVYX974EOIP1673014299047K98CSCRJY76WHI"
}
]
},
{"rule_definition_id": "GP286U92ERWU0K9Y1673014299047FMV4U7HEOQKQSF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MW9YKUVYX974EOIP1673014299047K98CSCRJY76WHI"
}
]
},
{"rule_definition_id": "DFQB4GMBOHHD8Q921673014299047N5YN3D6UKHF4JE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(BChannelOOS)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XNPKIVBI32YV5MYS1673014299047POLPTY7XJ49PWM"
}
]
},
{"rule_definition_id": "UWHHJ3KE4ALB7B3B167301429904724WIGAH43BJ7J3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XNPKIVBI32YV5MYS1673014299047POLPTY7XJ49PWM"
}
]
},
{"rule_definition_id": "QJCFT35AW7XQCLOL16730142990474MNX3FLIWDK9JM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(BChannelISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GKAH83L54FD83JNV16730142990476EC9K6DF93M4FW"
}
]
},
{"rule_definition_id": "H0RXXQGLU75AHL321673014299047X70BDYW6NVLHCG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GKAH83L54FD83JNV16730142990476EC9K6DF93M4FW"
}
]
},
{"rule_definition_id": "NY08EBPI6XAABXCJ1673014299047YLOFWYB0KKGOAC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DChannelOOS)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "BM97F3SR9F7SM1JC16730142990478K7VE733D4CHUR"
}
]
},
{"rule_definition_id": "BLRQRTLC5N9I6JDF1673014299047X5GUHJ6O6H4JSF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)$",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "BM97F3SR9F7SM1JC16730142990478K7VE733D4CHUR"
}
]
},
{"rule_definition_id": "N072MJMCPNKWWFP41673014299047HMFPQLGK2CYXM1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DChannelISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WRY5HCFHI3S61NGL1673014299047TGF7KLRJUB3OW6"
}
]
},
{"rule_definition_id": "OTIOVFVC7J4KYDMX1673014299047E7EU2O0A0PSR07",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WRY5HCFHI3S61NGL1673014299047TGF7KLRJUB3OW6"
}
]
},
{"rule_definition_id": "I9LLE48D1DBCCVX01673014299047VBNAW6WIFUV18R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceTransientConnection)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "EC5JEDHWO4FSKMY31673014299047UCHM937JH0FW18"
}
]
},
{"rule_definition_id": "F2BMHDK2ET9IBU7R1673014299047XJUKSSSOTJO70F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EC5JEDHWO4FSKMY31673014299047UCHM937JH0FW18"
}
]
},
{"rule_definition_id": "GV0RE0XCEM2HX54K1673014299047MFXS0PM1Q7DYLX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointTransientConnection)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "F7D3OMUNIT3J3OMN16730142990475EKV440F4AQ2F7"
}
]
},
{"rule_definition_id": "KHN3VI8R93QSPGU21673014299047D623C7NTEADHMY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F7D3OMUNIT3J3OMN16730142990475EKV440F4AQ2F7"
}
]
},
{"rule_definition_id": "Y1UBYCP74GWNGNIP16730142990479NV3J6V21K6EVE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceRegistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GDE4F3BC6LHJ47DT167301429904700SWNAH6511EC6"
}
]
},
{"rule_definition_id": "UDAUM3WQUHLC952816730142990477B5W5YA06G20GE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GDE4F3BC6LHJ47DT167301429904700SWNAH6511EC6"
}
]
},
{"rule_definition_id": "J9RGUDOULHNT7I7W1673014299047FIUW3RNI4JD690",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointRegistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "T3QHYSHN1WVPRVE51673014299047AOCQ6JVY17YKTD"
}
]
},
{"rule_definition_id": "YQUNONWQHCHYB1UJ1673014299047RJF73XGRLOD9CD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "T3QHYSHN1WVPRVE51673014299047AOCQ6JVY17YKTD"
}
]
},
{"rule_definition_id": "GS1O6BNG3AF206641673014299047E4EPEHIS5ASRGC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DevicePartiallyRegistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "AW3VRXAW7PS0PUCK16730142990470NCFPRX9R11OPQ"
}
]
},
{"rule_definition_id": "QR1GRIF27KWY4ONN1673014299047K42KMV305CXOEQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "AW3VRXAW7PS0PUCK16730142990470NCFPRX9R11OPQ"
}
]
},
{"rule_definition_id": "VYR65XFAYVEJUOK816730142990471JN0JX7TXHF6C2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceUnregistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LUUCU0S11YYWE2SP1673014299047HTVBBPHLWUCS0X"
}
]
},
{"rule_definition_id": "C2N1GRKYYG2R30PH1673014299047MMCU7QDRLEEL7R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LUUCU0S11YYWE2SP1673014299047HTVBBPHLWUCS0X"
}
]
},
{"rule_definition_id": "CX1J78D0N4G1TTW916730142990479NTHTO11D2MV8S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointUnregistered)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "V8OWAPQ6AFIBE2R516730142990472PYW3935RSOLYU"
}
]
},
{"rule_definition_id": "NYG2V6L08AWQC0G116730142990471FM2D641J855YR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "V8OWAPQ6AFIBE2R516730142990472PYW3935RSOLYU"
}
]
},
{"rule_definition_id": "JUE8OQFMJHAS9KJA16730142990472LMS1HNPWMJ033",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPLineRegistrationError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "F7NSGG1KUUQAJJJ01673014299047B1JGXH8968ATBY"
}
]
},
{"rule_definition_id": "FTANF70BBYTLOXA116730142990472JTR9L7U4P3L8N",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F7NSGG1KUUQAJJJ01673014299047B1JGXH8968ATBY"
}
]
},
{"rule_definition_id": "H5PNUHEO5C66JC641673014299047VAVDX7BAAKVN7E",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(H323Started)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YJ2PIO9SC9IXDS1S16730142990474VCRCPLV8MSMOD"
}
]
},
{"rule_definition_id": "O7WOP8GH268TS6UP1673014299047NVSRGY54TJ0YTG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YJ2PIO9SC9IXDS1S16730142990474VCRCPLV8MSMOD"
}
]
},
{"rule_definition_id": "L89FNYA310IIB3LP16730142990472XNJD2OSF444XE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(H323Stopped)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "O3PL7FQ2AANGP7V11673014299047K9Y7DNI537YNX0"
}
]
},
{"rule_definition_id": "AWEBDK9U6YOADVVD1673014299047XXXP2R8SVY8A75",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "O3PL7FQ2AANGP7V11673014299047K9Y7DNI537YNX0"
}
]
},
{"rule_definition_id": "B3I6Q7UOFD956DBO167301429904862OHGKXYDDOF60",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPStarted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YPKPSRLHQROK4CWT1673014299047Y7004W51GM77O8"
}
]
},
{"rule_definition_id": "A6D5RDOPB2NKCJ5N16730142990483SRS9KB4OV9S2R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YPKPSRLHQROK4CWT1673014299047Y7004W51GM77O8"
}
]
},
{"rule_definition_id": "O15N037Y6HSBQ5291673014299048FD54H58NY2I9S6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPStopped)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FBAPOER4MGFS48EA1673014299048UO3VU9E8HH3ARE"
}
]
},
{"rule_definition_id": "R3UTU9YR97QPPC061673014299048UVVWNCO9S0HR5Y",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FBAPOER4MGFS48EA1673014299048UO3VU9E8HH3ARE"
}
]
},
{"rule_definition_id": "CF8U7FV73JT0LD0E1673014299048FT0XH3HLXPANVD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationScriptOpened)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "R0BGN6FK81OPLY2B16730142990489HK0HUID4L7FVD"
}
]
},
{"rule_definition_id": "B38Q1FHSUBPYCEVR16730142990485XFNJYR1ECH1CB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "R0BGN6FK81OPLY2B16730142990489HK0HUID4L7FVD"
}
]
},
{"rule_definition_id": "N0AARYTO8V9CR6HX1673014299048C4XTIAS1EBVAN7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationScriptClosed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "PH51C0KC0CB3GVO91673014299048F2DVE7E578XOAT"
}
]
},
{"rule_definition_id": "B71BNML9MUD7T8VF1673014299048CCW8MOH1RYCNJJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "PH51C0KC0CB3GVO91673014299048F2DVE7E578XOAT"
}
]
},
{"rule_definition_id": "BXP1H43PY1IF0GIV1673014299048W2A5DEUH0SF7YJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationScriptError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "F7N93UCQCC52MWXS16730142990485P615XJ6DPLU5X"
}
]
},
{"rule_definition_id": "BS2KAIDQ9RLY81MI1673014299048VHL47Q2WQHURBM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F7N93UCQCC52MWXS16730142990485P615XJ6DPLU5X"
}
]
},
{"rule_definition_id": "B59F32MKO50FRQHM1673014299048GIGEFGSD7VOFTH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationResourceWarning)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XOGMOW11Q5OYRSYX1673014299048BOOY3BOHQ4W80P"
}
]
},
{"rule_definition_id": "QWTT3G9GCL19LCY71673014299048CU2NV426V51F0S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XOGMOW11Q5OYRSYX1673014299048BOOY3BOHQ4W80P"
}
]
},
{"rule_definition_id": "UIGIX63GLEXRJ5C01673014299048MOLP6USRH86IIB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPNormalizationAutoResetDisabled)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P3NKR4RWB4JKXM141673014299048FHXDYH43VG4IC0"
}
]
},
{"rule_definition_id": "SVHUC9VGF3SOEQC71673014299048NNH9C4OGEUWQJB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P3NKR4RWB4JKXM141673014299048FHXDYH43VG4IC0"
}
]
},
{"rule_definition_id": "RDELEKFFRQV7T18G1673014299048UPPV678U4DLCTT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPTrunkISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FL82HMVUDGJX8JGY16730142990489LPQ3MG59F8PHD"
}
]
},
{"rule_definition_id": "TJJN9EO6FPX2UHQM1673014299048M93QTN1X616MX9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FL82HMVUDGJX8JGY16730142990489LPQ3MG59F8PHD"
}
]
},
{"rule_definition_id": "FVTF2H41GDAY56DH1673014299048O5LUKAH9K0BTSX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPTrunkOOS)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FWW5NUCFIXDVGG1D1673014299048IFF5LGKP6XJT77"
}
]
},
{"rule_definition_id": "U1JUEA0NNWBF9R4E1673014299048WPHN14CD048RL8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FWW5NUCFIXDVGG1D1673014299048IFF5LGKP6XJT77"
}
]
},
{"rule_definition_id": "IA4SSRNN5JQA5HB31673014299048QS7YUAS9QWGF6M",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SIPTrunkPartiallyISV)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "J30IA4NNYPOYND3W16730142990486N6BG77WTKGLJR"
}
]
},
{"rule_definition_id": "EUIHKD16QXEWM2O61673014299048676AL312Q7Q1BL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "J30IA4NNYPOYND3W16730142990486N6BG77WTKGLJR"
}
]
},
{"rule_definition_id": "F1HAKY5H2I3FULNK16730142990483Y2YYWMVNT4F66",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConnectionFailure)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CBAICTWK9P4POQIP1673014299048RMIAUFICY719F2"
}
]
},
{"rule_definition_id": "KH5NNFA2EEXUVFTL1673014299048IQDI2J6AQ8CRJX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CBAICTWK9P4POQIP1673014299048RMIAUFICY719F2"
}
]
},
{"rule_definition_id": "SIH2XTEU9V00TLEO1673014299048TYAG1O83W41UWS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MediaResourceListExhausted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "VCYEJAM21QWWG51W1673014299048S0QHSTATQ9A4QC"
}
]
},
{"rule_definition_id": "T4UW96DY8HHC8BX21673014299048X9M0IK06V6YMCK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "VCYEJAM21QWWG51W1673014299048S0QHSTATQ9A4QC"
}
]
},
{"rule_definition_id": "EYLYCCAEXJLMKYOK1673014299048MS5Y6PRQ9EPH9K",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RouteListExhausted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "SLIBAGA8UQ6MH4CE1673014299048PX968FMK6G55WL"
}
]
},
{"rule_definition_id": "JHNWJL0ESG1NPAPB16730142990489CD0T93K2LUYLW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SLIBAGA8UQ6MH4CE1673014299048PX968FMK6G55WL"
}
]
},
{"rule_definition_id": "K4YQV4JE4NJJ25JT1673014299048CYVDTSOB35PWJM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(HuntListExhausted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P1QEK03QHVP45DPI16730142990487F7S7SUYR05WSI"
}
]
},
{"rule_definition_id": "D58G8JIYTOUEFP991673014299048K5QD6R9HV0DJUY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P1QEK03QHVP45DPI16730142990487F7S7SUYR05WSI"
}
]
},
{"rule_definition_id": "JSV6ERRYYTY6CXLI1673014299048P7V7RHPERNH3FX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceTypeMismatch)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "R5JENBIIFM7GKGQM1673014299048BVKFX3TJ0IHET0"
}
]
},
{"rule_definition_id": "QR2JGAX9GDR6VV7M16730142990487WGOQBHRQ5TSDN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "R5JENBIIFM7GKGQM1673014299048BVKFX3TJ0IHET0"
}
]
},
{"rule_definition_id": "VVJLWUXU5I8JGJG91673014299048P9HNCK3SGGOLN8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceDnInformation)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GLHTWPYIM2UDV4LR1673014299048TOQ2O4S86OSRWR"
}
]
},
{"rule_definition_id": "CL09698FXYLCTSY21673014299048VK0MPDHR2PPEK5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GLHTWPYIM2UDV4LR1673014299048TOQ2O4S86OSRWR"
}
]
},
{"rule_definition_id": "QCBEQVBCILWFQ47S16730142990487OOS6S971AGX93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(StationConnectionError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "PXVI34C9IU48BHDA1673014299048V69RNA6PIB6G24"
}
]
},
{"rule_definition_id": "XVDE8N0GELLR82UL1673014299048FOSPWN9WAKCXFG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "PXVI34C9IU48BHDA1673014299048V69RNA6PIB6G24"
}
]
},
{"rule_definition_id": "WPDOP84XXIHLJDP416730142990486P6JF2MD0NQEP0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(StationAlarm)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QY56VNBYJS3X4L911673014299048FTSG76B2EQLL4M"
}
]
},
{"rule_definition_id": "HRW5GEWV1IBNEFDA1673014299048WDPA1XWLAB9DWV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QY56VNBYJS3X4L911673014299048FTSG76B2EQLL4M"
}
]
},
{"rule_definition_id": "OQJT57JIT69M3T6P1673014299048UVHUL7NOLAETXN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(StationEventAlert)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "KSBQPWTRIC4ONIMW1673014299048G4CLCUD2AO5KIC"
}
]
},
{"rule_definition_id": "RLIX4KG700Y0CAVD16730142990480IL4X7ROBHDNOD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "KSBQPWTRIC4ONIMW1673014299048G4CLCUD2AO5KIC"
}
]
},
{"rule_definition_id": "JIHWRG6ARBHY1TVM1673014299048IWEKL2J7PIPMN8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MGCPGatewayGainedComm)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QW3QTHK4C5CMUFGX1673014299048YTFTDDF6PX0GGQ"
}
]
},
{"rule_definition_id": "FPN1QKN9EA4KG4JY167301429904836R6S5XJDEOVEY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QW3QTHK4C5CMUFGX1673014299048YTFTDDF6PX0GGQ"
}
]
},
{"rule_definition_id": "W8QAV90CXG6JXQMU16730142990483OIU2N8FJRVNO8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MGCPGatewayLostComm)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GEFVN0H58T5OY0HL16730142990482KEJYGIL8HFF0Q"
}
]
},
{"rule_definition_id": "AV3II069PMPCKTC41673014299048VWBT24MDFIMKCI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GEFVN0H58T5OY0HL16730142990482KEJYGIL8HFF0Q"
}
]
},
{"rule_definition_id": "BIOXTKEB8H8XMU1F167301429904842ATRFXOWPSJFL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(StationPortInitError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "UKS6IOSP3XRKIPTK1673014299048176OWL7WIRAF6E"
}
]
},
{"rule_definition_id": "MAIRU07O6BPAMS5F1673014299048DTINAX46E377MP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "UKS6IOSP3XRKIPTK1673014299048176OWL7WIRAF6E"
}
]
},
{"rule_definition_id": "U09CIBV3P8PMWDTY16730142990482J1BMY1BKT4D4I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DbInfoError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "ND75Y7SHRRG0AI9U1673014299048W9TENEL20EUH7W"
}
]
},
{"rule_definition_id": "K2OFCK1KD41D2UMS1673014299048346IQP0YYBDK0K",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "ND75Y7SHRRG0AI9U1673014299048W9TENEL20EUH7W"
}
]
},
{"rule_definition_id": "PU1RF0A9OP0RWC5E1673014299048QG3JEXY5QC0HS4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DbInfoTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "VXCBHUE1EMEE0A3D167301429904807MQJNUJSAGWCY"
}
]
},
{"rule_definition_id": "NEU70F57XEY7LC7T167301429904878K3EVJWTA6S0X",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "VXCBHUE1EMEE0A3D167301429904807MQJNUJSAGWCY"
}
]
},
{"rule_definition_id": "XDYCK5CI1CDP3QCR16730142990484T0Y166OOVA6BH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DbInfoCorrupt)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "IYDAKKXBATYNL6IB1673014299048LA7N861EEEBAED"
}
]
},
{"rule_definition_id": "X0QW3U2L0NSTY0T91673014299048EEU9V7RXSY9TUN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "IYDAKKXBATYNL6IB1673014299048LA7N861EEEBAED"
}
]
},
{"rule_definition_id": "YP4M4UB1YO2JVU3T16730142990484LE273ARV3Q3SP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(NotEnoughChans)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CQRWNU6FEIUFS0IM1673014299048HTCNMWV7OGCAL5"
}
]
},
{"rule_definition_id": "C2XWWVEN1AG0XUCS1673014299048QCP7LT1O3QVVT1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CQRWNU6FEIUFS0IM1673014299048HTCNMWV7OGCAL5"
}
]
},
{"rule_definition_id": "EDG9NAHTTPX5MJDU1673014299048VHU7HID1HCO6S5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceResetInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "U45OWP7LB92BVFYU1673014299048W5LSFAIV71AG9B"
}
]
},
{"rule_definition_id": "HUAMTHBVO3I45MH21673014299048L6KADD4WEGE42C",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "U45OWP7LB92BVFYU1673014299048W5LSFAIV71AG9B"
}
]
},
{"rule_definition_id": "Q8HYQXS8UC43BY9I1673014299048U97KH7THRFOBRR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointResetInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "K3RCH55VKYXKD8261673014299048JLHT4EDLO5WWEV"
}
]
},
{"rule_definition_id": "QPKOFW6NJ4T8Y76U16730142990488U78LW6TO3E6NS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "K3RCH55VKYXKD8261673014299048JLHT4EDLO5WWEV"
}
]
},
{"rule_definition_id": "NILALPYV930JVI3V1673014299048IX3J6OW8HJV46I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceRestartInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "C35KUWEVMT3T28CD1673014299048Q3QKOR80G0U1PP"
}
]
},
{"rule_definition_id": "NUOVGQYD3OK37PP51673014299048UG1SJ2IJJT47J6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "C35KUWEVMT3T28CD1673014299048Q3QKOR80G0U1PP"
}
]
},
{"rule_definition_id": "XCOWIKUKPSEJWF1V1673014299048NBSCAUX55QPB7S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndPointRestartInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "VTOYNYSQ73QR7UV816730142990489B9T7RLOSRXY81"
}
]
},
{"rule_definition_id": "QV2A2M91HP4SS6D61673014299048TF0VJ1PG76MLRU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "VTOYNYSQ73QR7UV816730142990489B9T7RLOSRXY81"
}
]
},
{"rule_definition_id": "BH9282DY0V644S9916730142990481OAOJUJAQ97EIF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceApplyConfigInitiated)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "Y638LEG5M0JJRJH11673014299048M4DYPAX2DMV95Y"
}
]
},
{"rule_definition_id": "BWDCLOUFCRHK9XVV16730142990483PVO0NCAT6YWYL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "Y638LEG5M0JJRJH11673014299048M4DYPAX2DMV95Y"
}
]
},
{"rule_definition_id": "RUW2JOWOLU5R3QP51673014299048C5UGTO8RINO8JW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DaTimeOut)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CMJOAB1NRG3QXXRE167301429904803LM3OK65YA9F1"
}
]
},
{"rule_definition_id": "RX1SFCLM74MHBVJO1673014299048701TCBGWA2J12I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CMJOAB1NRG3QXXRE167301429904803LM3OK65YA9F1"
}
]
},
{"rule_definition_id": "N9FBK3RCTG1JW0JM1673014299048IWG7A01KAGBS7L",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MaxCallDurationTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "IMCVJUYWGIRARLJC1673014299048ASR3HPBWOSDMTW"
}
]
},
{"rule_definition_id": "XSRKGNG73AP4JQW31673014299048V0HW63SPFXB2AY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "IMCVJUYWGIRARLJC1673014299048ASR3HPBWOSDMTW"
}
]
},
{"rule_definition_id": "HFYVNRDPFQE71R4A1673014299048UEMIRR3DKUMCXW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MaxHoldDurationTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CI4IFMVG07FUNM1X1673014299048XCOHJWPI3EP7EC"
}
]
},
{"rule_definition_id": "PGX0S82TCOM7DARV16730142990486GA7AB26IVRXQE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CI4IFMVG07FUNM1X1673014299048XCOHJWPI3EP7EC"
}
]
},
{"rule_definition_id": "DB1WHI5NCEFQD39N16730142990485PC5TCCLP3YW9O",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(TimerThreadSlowed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "Q5QEGD2W6DVW2ODI1673014299048S1ESKB9MONQXJJ"
}
]
},
{"rule_definition_id": "THOA6UKQUDUW39321673014299048USO82OFHU53FJU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "Q5QEGD2W6DVW2ODI1673014299048S1ESKB9MONQXJJ"
}
]
},
{"rule_definition_id": "D021M6Q1J8KJS7OM1673014299048MNJHW6EP3L0QGK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DatabaseDefaultsRead)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QY76OTEUIBL2T9GN1673014299048VV11VAEAC8O878"
}
]
},
{"rule_definition_id": "FWN2IEKFARL9HCMY1673014299048QMR7R9ENQSLB7W",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QY76OTEUIBL2T9GN1673014299048VV11VAEAC8O878"
}
]
},
{"rule_definition_id": "MRSQ6H1OQW33NV7016730142990486ND0X0BQQSBUEN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceInitTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "EKRNK68TLM93N6JP1673014299048KTT6BKGCXKS3X3"
}
]
},
{"rule_definition_id": "IP40CQSLGW9KX50V16730142990483X3BAUXRC2GDHL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EKRNK68TLM93N6JP1673014299048KTT6BKGCXKS3X3"
}
]
},
{"rule_definition_id": "KCNJDTJDL26HV03X1673014299049DXDUHKQ8KO4RU1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(NumDevRegExceeded)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "S3KG084D1KFNK3CT16730142990486KS03LVC1CO0F4"
}
]
},
{"rule_definition_id": "NJ4GJL37SP7721XG1673014299049XEHH7G4RTYSAD2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "S3KG084D1KFNK3CT16730142990486KS03LVC1CO0F4"
}
]
},
{"rule_definition_id": "SFVV69JCTF1Q3W9S1673014299049K0X3OCNPPXKCF4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallManagerOnline)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XX51VDXS4R0A3P571673014299049KF3ECU5AMVSIQC"
}
]
},
{"rule_definition_id": "AMMT40IFVBSW9FJ3167301429904959BRYJLS4K01PA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XX51VDXS4R0A3P571673014299049KF3ECU5AMVSIQC"
}
]
},
{"rule_definition_id": "V03IAJF799KHDKL51673014299049DHV1AJEERYLUMB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(OutOfRangeMohAudioSource)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LY3XRE8MPTEPV7MC1673014299049L1P0VXINUJI555"
}
]
},
{"rule_definition_id": "HEC0WEVTF6W8B66C1673014299049GJYAGMRH6BOLXE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LY3XRE8MPTEPV7MC1673014299049L1P0VXINUJI555"
}
]
},
{"rule_definition_id": "AB2G546KAHSQRASK16730142990499JKLR6RPHXRT7U",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(UnprovisionedMohAudioSource)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "VF5A25LK6IHH9G2M1673014299049MSG1ERS5X19PWA"
}
]
},
{"rule_definition_id": "MYSD17C4WVR1S00C1673014299049913W6CPS762HJP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "VF5A25LK6IHH9G2M1673014299049MSG1ERS5X19PWA"
}
]
},
{"rule_definition_id": "LGGJQD50AILIU6I01673014299049TJXVY1LSPP4O08",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(BuiltInBridgeNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WIT24L3MWIWMG2AU1673014299049EKOQI9KVCLE8SN"
}
]
},
{"rule_definition_id": "JOBLLFB1MX71KP0E167301429904936IOJ9WDFT2KF9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WIT24L3MWIWMG2AU1673014299049EKOQI9KVCLE8SN"
}
]
},
{"rule_definition_id": "H7TS1OAH04998SHR1673014299049O0XAOPJL5L8BHJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MtpNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "NBVKFMT8WIFEYRT81673014299049953VCOWHG3LPC9"
}
]
},
{"rule_definition_id": "GR702BB5W9697AMH1673014299049NRELXIDSNQM6LO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NBVKFMT8WIFEYRT81673014299049953VCOWHG3LPC9"
}
]
},
{"rule_definition_id": "JU25XP2B4VM2H58U1673014299049SYW0UJWJR1AV3V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MohNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "EOOKI7Q12GMY2V9C1673014299049B77T7S2RJGN61C"
}
]
},
{"rule_definition_id": "IGI9RIRV7H3SFJM316730142990498MP433YHQ875CG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EOOKI7Q12GMY2V9C1673014299049B77T7S2RJGN61C"
}
]
},
{"rule_definition_id": "SJF9CSKTE57P16MH1673014299049WL1ILONKACRMK7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConferenceNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CM6ESG5ASICUGS8F1673014299049TUL6O24A2KGO3M"
}
]
},
{"rule_definition_id": "KMUTXGYKGL0EVQHR1673014299049FWGO4YVAX1EQGX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CM6ESG5ASICUGS8F1673014299049TUL6O24A2KGO3M"
}
]
},
{"rule_definition_id": "C6WFR4PU1X3I1TT616730142990491P737K9742WALJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(AnnunciatorNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "ASPH1JIB1URE3TGI167301429904906HRWFLLB9TXLY"
}
]
},
{"rule_definition_id": "TCIGIOIH7CAHKWF5167301429904992XVE73D6BJ0XY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "ASPH1JIB1URE3TGI167301429904906HRWFLLB9TXLY"
}
]
},
{"rule_definition_id": "GA3MRR0SB7Y7G2ES167301429904954K5YAWJL18YBJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RsvpNoMoreResourcesAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WY8G63PMPMYJ9TDG16730142990497OYRQ3L6K5EES7"
}
]
},
{"rule_definition_id": "FJBO4DLP0TOD4SKT1673014299049DSDW6K8H39A68S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WY8G63PMPMYJ9TDG16730142990497OYRQ3L6K5EES7"
}
]
},
{"rule_definition_id": "OTSP8CSVALQJ3C2O1673014299049DY0UKD3793VO7A",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MaxCallsReached)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "H2AORH8UJ4V4JB391673014299049QNY7E0RI76849I"
}
]
},
{"rule_definition_id": "KY27LJNHWHWTRV0K167301429904901L0KYYW0IEGL4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "H2AORH8UJ4V4JB391673014299049QNY7E0RI76849I"
}
]
},
{"rule_definition_id": "K7JTU2V9HFXDV7GV1673014299049AE4AHXN2QOE85L",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DBLException)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XY1LO7TTRNA0RQ9R1673014299049VEXJNO7MEFQVR7"
}
]
},
{"rule_definition_id": "UVXDPTCMIAIQLT2X1673014299049YDTGX31N9RAV0E",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XY1LO7TTRNA0RQ9R1673014299049VEXJNO7MEFQVR7"
}
]
},
{"rule_definition_id": "CNXC0YBMRHTM0UO71673014299049MIC6RFKHNTEE08",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ICTCallThrottlingStart)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "TAFQ8NWVAWU0BFC31673014299049DRQ9DHQQ22WDJ3"
}
]
},
{"rule_definition_id": "XLSOGJGDH3MHGEPC1673014299049KASA8UR41VL6FX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "TAFQ8NWVAWU0BFC31673014299049DRQ9DHQQ22WDJ3"
}
]
},
{"rule_definition_id": "VFE2E16D3UAM4U8V1673014299049A4UQT3ASF78Q3H",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ICTCallThrottlingEnd)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "O1F4S4B2AGOP3OUC1673014299049ULR9QJ3HFTA157"
}
]
},
{"rule_definition_id": "YHW6WG3EA1P6SW811673014299049CYRMG9NUK1SFB7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "O1F4S4B2AGOP3OUC1673014299049ULR9QJ3HFTA157"
}
]
},
{"rule_definition_id": "XLYEHIM4AV248QJ71673014299049RC6ED0CQSMP5IV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CodeYellowEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "UPOK0K7IJHIN3VA31673014299049YOOE06D5IA2XLO"
}
]
},
{"rule_definition_id": "JAP676YFOS1SN3S21673014299049F0RHBRKXXL8T93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "UPOK0K7IJHIN3VA31673014299049YOOE06D5IA2XLO"
}
]
},
{"rule_definition_id": "YBSID1QMAFQ4NUNF1673014299049K3MRNF35W4WYWI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CodeYellowExit)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "AVGVLXC79UFD9DH516730142990492CYFX9F4UGVAO6"
}
]
},
{"rule_definition_id": "ULYG8DHKKM6E6QTI16730142990495BLD9FD7KTUD4N",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "AVGVLXC79UFD9DH516730142990492CYFX9F4UGVAO6"
}
]
},
{"rule_definition_id": "RVRAK39KISPC6CCM1673014299049XCXOEN8X4LWMYO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CodeRedEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "EIFNRTUERT615GHS1673014299049P0HY5UB5SBPLF8"
}
]
},
{"rule_definition_id": "IWRGH2BHAVU6028W1673014299049IV3NTLFVD96MFU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EIFNRTUERT615GHS1673014299049P0HY5UB5SBPLF8"
}
]
},
{"rule_definition_id": "CXFF5CM5Y9V88Y4B167301429904926LOW1PU6HICLN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SignalCongestionEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "AW0M4ULOHC3DKSY716730142990490FAJDB4PH68LGL"
}
]
},
{"rule_definition_id": "I11M8YQ9TFTYUBH116730142990493OAPRSN0DIDG9Y",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "AW0M4ULOHC3DKSY716730142990490FAJDB4PH68LGL"
}
]
},
{"rule_definition_id": "B6I12886FOLI9QD016730142990496X9JNBEU739MPC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SignalCongestionExit)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "HUBY1RTGO7TISDDS1673014299049ML1QQVQGY1D277"
}
]
},
{"rule_definition_id": "BMAIY2TJBJ5HE3GH1673014299049U89VGVEKJHJY5I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "HUBY1RTGO7TISDDS1673014299049ML1QQVQGY1D277"
}
]
},
{"rule_definition_id": "DFHGOHODX9SDVK0H1673014299049TRFQDNS2UEVN82",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MemoryThrottlingEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "IU11PJ84SSEEO4I8167301429904956X7K5CK5GMQTG"
}
]
},
{"rule_definition_id": "H5KILE4DAXIWM8VI1673014299049YWFHA1PE2USYK8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "IU11PJ84SSEEO4I8167301429904956X7K5CK5GMQTG"
}
]
},
{"rule_definition_id": "YQ41YEBOPLWXSJFU1673014299049T702AXPLSYORW8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MemoryThrottlingExit)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "QWYOQ9UFPJOC7Y3E16730142990499LTX2D5QX87EQN"
}
]
},
{"rule_definition_id": "UFQU4XXOJM779F5A1673014299049IJIRC8JVHK7Y4O",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "QWYOQ9UFPJOC7Y3E16730142990499LTX2D5QX87EQN"
}
]
},
{"rule_definition_id": "GUD8262F9SU895O11673014299049O4II4VVGBO9KI6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DeviceCloseMaxEventsExceeded)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XTAY5RED8S990O2G1673014299049R3114SWGYK7HM7"
}
]
},
{"rule_definition_id": "SJI7NR4LCEW2SDIN1673014299049PYXIV6LAE33T8C",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XTAY5RED8S990O2G1673014299049R3114SWGYK7HM7"
}
]
},
{"rule_definition_id": "ULAXVH58WPS05FDP1673014299049H3BJRNDSRGXTCT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MaliciousCall)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X9KYIP6B07S443F71673014299049R5QTEUXVPRM9EM"
}
]
},
{"rule_definition_id": "F05PNJHGFB4AEHD11673014299049VU600MUUKSLSQE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "X9KYIP6B07S443F71673014299049R5QTEUXVPRM9EM"
}
]
},
{"rule_definition_id": "C7RA75OCF687LML01673014299049GMYPGLJ1F70F9X",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(BeginThrottlingCallListBLFSubscriptions)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "IUS9KH1TRO3Q7QVG1673014299049LY7AILRVN8AVLY"
}
]
},
{"rule_definition_id": "BMV7ILB23GGC4KW61673014299049KRMVJ1ANKGPQB6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "IUS9KH1TRO3Q7QVG1673014299049LY7AILRVN8AVLY"
}
]
},
{"rule_definition_id": "S4WTU8S5HF1P1ADO1673014299049OWSRQ3TSDEFN17",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(EndThrottlingCallListBLFSubscriptions)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YKL7XMUOJO3TXNXA1673014299049W5UJ10GEC2K8XG"
}
]
},
{"rule_definition_id": "FTCAP2HKR7Q2FIUX1673014299049BFK7XV01GY0GXJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YKL7XMUOJO3TXNXA1673014299049W5UJ10GEC2K8XG"
}
]
},
{"rule_definition_id": "AMBSNEQHED7RADSN1673014299049TV8YOH3DIH6YNB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PktCapServiceStarted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LRWH4KCN643AKXVK1673014299049BL2HXBBWJTOJSC"
}
]
},
{"rule_definition_id": "N4M33C74SY756P591673014299049RIU86A8LA90A6U",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LRWH4KCN643AKXVK1673014299049BL2HXBBWJTOJSC"
}
]
},
{"rule_definition_id": "RFLVO9WSIWLALC7E1673014299049KB50F4EAOY9MSP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PktCapServiceStopped)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "O7GJNPLTB21JNFXX1673014299049KMBRPI9CTL3FSH"
}
]
},
{"rule_definition_id": "Q0VGRR9QAFF5NUCG1673014299049WRJJBJI9KEECQ9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "O7GJNPLTB21JNFXX1673014299049KMBRPI9CTL3FSH"
}
]
},
{"rule_definition_id": "BLFKFG9T3JLTBFSA16730142990494CIF4KKXN2TKU2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PktCapOnDeviceStarted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YYOAMHSF5YQ6WFSO1673014299049I4AY3GWYL7VXMI"
}
]
},
{"rule_definition_id": "OGFLJV6OEWJJNUAU16730142990497DFIVEIO8JRBQA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YYOAMHSF5YQ6WFSO1673014299049I4AY3GWYL7VXMI"
}
]
},
{"rule_definition_id": "W2QI3V2M6LTBLEWV1673014299049MA8M47LMTXU89S",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PktCapOnDeviceStopped)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "TCI8VJAWNMJ9NQNO1673014299049QAFLT80BQBX2E9"
}
]
},
{"rule_definition_id": "SUX1GJPX58C20G7R1673014299049KTQBLQ9248W95I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "TCI8VJAWNMJ9NQNO1673014299049QAFLT80BQBX2E9"
}
]
},
{"rule_definition_id": "OTPGSTE0EIO73EF81673014299049GYKBV3UHBK3BQY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(UserUserPrecedenceAlarm)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "Y3QTNO03UMLI1MC316730142990492T5ROO4TL0KLG3"
}
]
},
{"rule_definition_id": "XFH0RJTXDIPD7UO71673014299049UY60NB8PVRAVO3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "Y3QTNO03UMLI1MC316730142990492T5ROO4TL0KLG3"
}
]
},
{"rule_definition_id": "WJ6PWRAX8B35EI0Y1673014299049CP665CUXJJO1L8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(MultipleSIPTrunksToSamePeerAndLocalPort)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P9LSPNCW0AIO3H371673014299049RP3Y14L9AI7PHJ"
}
]
},
{"rule_definition_id": "BC34XPX5D28FBBGD1673014299049YRXF3FWE6BI88F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P9LSPNCW0AIO3H371673014299049RP3Y14L9AI7PHJ"
}
]
},
{"rule_definition_id": "KMEHHQHRO48LWPU71673014299049EQB1XOGGIICT7V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(NoFeatureLicense)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LD32X6ISW9A9HW8L167301429904983TW0FXRVYLBPA"
}
]
},
{"rule_definition_id": "DW4KX9KGLMLDTMH31673014299049RXDDJ3O85LUIXO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LD32X6ISW9A9HW8L167301429904983TW0FXRVYLBPA"
}
]
},
{"rule_definition_id": "C7OQAR7I7WOVFHT41673014299049IINMQUTGDRVUEN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CMInitializationStateTime)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P8FDA5FQHCBXQWMM16730142990495J2RB2DI0Y7LKD"
}
]
},
{"rule_definition_id": "VRCHSP9UN0P1VHDC16730142990499JVYCSBWTG4EPK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P8FDA5FQHCBXQWMM16730142990495J2RB2DI0Y7LKD"
}
]
},
{"rule_definition_id": "RVHCVPJQUF84RJQH1673014299049VB5QH7AB35KOUM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CMTotalInitializationStateTime)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "G8S30J2FSCXX1QOQ16730142990490QM6KP6HUEAWU8"
}
]
},
{"rule_definition_id": "AT0S6FYIRIT89XEO1673014299049K59GRQAYAD4IV3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "G8S30J2FSCXX1QOQ16730142990490QM6KP6HUEAWU8"
}
]
},
{"rule_definition_id": "O64Y3HW4Y3SERJ7316730142990493KRVYWFG9YHKRT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CMOverallInitTimeExceeded)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "ER9CXM4QYPM73JMF1673014299049U9KU72371O59LD"
}
]
},
{"rule_definition_id": "MCNS72M81DCM2HIV1673014299049HS1XJJ30BBI6S1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "ER9CXM4QYPM73JMF1673014299049U9KU72371O59LD"
}
]
},
{"rule_definition_id": "HM4EB24UKVCSHUWX1673014299049PDTTL67VWGG4BA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DigitAnalysisTimeoutAwaitingResponse)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "LWNLBCUBI9OUE2591673014299049NWYB2SIS68SMUR"
}
]
},
{"rule_definition_id": "OSO437DVV39TWDL81673014299049EB9NCHOVOFQ90J",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "LWNLBCUBI9OUE2591673014299049NWYB2SIS68SMUR"
}
]
},
{"rule_definition_id": "YDVPV9IVFAG3JNY81673014299049DVTXVH2P4VOXLX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(InvalidIPNetPattern)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "H8VINT1LRD9I7UMS1673014299049EUY6CQT9SP6TGV"
}
]
},
{"rule_definition_id": "XVCF58FOTD49E3TU1673014299049IBUMM9MRQUSAD7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "H8VINT1LRD9I7UMS1673014299049EUY6CQT9SP6TGV"
}
]
},
{"rule_definition_id": "O31JTXLOK0KDC1P7167301429904987LD4S1M8SXOFE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(FailedToFulfillDirectiveFromPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GOXCM21G3SC2TS901673014299049Q0GEHFRX3TM77Q"
}
]
},
{"rule_definition_id": "G3M5CV9QUQ8POM6H1673014299049UBQ3KS04EY5AS7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GOXCM21G3SC2TS901673014299049Q0GEHFRX3TM77Q"
}
]
},
{"rule_definition_id": "VRNQWPSJTXC996Y31673014299049DB97671NPESCL2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(FailureResponseFromPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "P1RWP97EHEEKS6EU16730142990494TEWIC2UNPBDNV"
}
]
},
{"rule_definition_id": "V598OTFQY9K5QPE016730142990499631T2HPO057YH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "P1RWP97EHEEKS6EU16730142990494TEWIC2UNPBDNV"
}
]
},
{"rule_definition_id": "L3EHJDMTKID0O5U116730142990499XMJSC72C1GQQD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConnectionFailureToPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GL6G7M5NTVQ73QDC1673014299049XXSCNH3HCPV54J"
}
]
},
{"rule_definition_id": "IQOXVFJJ0H1XBNH116730142990494EXMFMII94N65A",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GL6G7M5NTVQ73QDC1673014299049XXSCNH3HCPV54J"
}
]
},
{"rule_definition_id": "BRAB9JXSJTRM9U0P1673014299049NTDJ3P5WG9LC29",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConnectionToPDPInService)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "L1XICXU8A7GXTM9V1673014299049U3WY763NJNGCSO"
}
]
},
{"rule_definition_id": "K9KCT5TSLQ59O5AX1673014299049HRN4NQ7DUYPJ2Q",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "L1XICXU8A7GXTM9V1673014299049U3WY763NJNGCSO"
}
]
},
{"rule_definition_id": "K44YFLEWR30EH5I91673014299049H1D4971TDMDOJA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(AwaitingResponseFromPDPTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "TLG8ECX4HPEQ7N6O1673014299049QMAFAVARFBGSEI"
}
]
},
{"rule_definition_id": "HYG6P17V9JVWMVNY16730142990499KUBQS5HXKYH2F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "TLG8ECX4HPEQ7N6O1673014299049QMAFAVARFBGSEI"
}
]
},
{"rule_definition_id": "DKXV762POKELUFJC1673014299049B1YS17OP3U4AI7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ErrorParsingDirectiveFromPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "BE9A9GOHPQGW6WEF1673014299049O9D027JA27OSS7"
}
]
},
{"rule_definition_id": "TM2TC9PK34O2TS9K1673014299049OXE0R5E230HLVG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "BE9A9GOHPQGW6WEF1673014299049O9D027JA27OSS7"
}
]
},
{"rule_definition_id": "CAM4DF7YWLEH13OQ1673014299049MBVPMU0OXWID5F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ErrorParsingResponseFromPDP)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "W5GJBKHPA5JFBVS31673014299049J3XHPX17S65HFT"
}
]
},
{"rule_definition_id": "WAYPA6GWBO3OCVWC1673014299050TNMKWKYO7IOYII",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "W5GJBKHPA5JFBVS31673014299049J3XHPX17S65HFT"
}
]
},
{"rule_definition_id": "MO459BG3BSFLAJ291673014299050M4Q11IA5RJB0KW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallAttemptBlockedByPolicy)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "N5VJX1FEE96539SG1673014299050AKIV6H5IGEYI26"
}
]
},
{"rule_definition_id": "T9NORTTWSRJXAFPM1673014299050WOSNCA4F6D6OJ7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "N5VJX1FEE96539SG1673014299050AKIV6H5IGEYI26"
}
]
},
{"rule_definition_id": "KEGCEFKWIT9MEOVF1673014299050H0U1XEM23KUS5R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ServicePortOnline)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "B1WS3I0Y185QMG2216730142990506H79UEIVVT5OAL"
}
]
},
{"rule_definition_id": "OKX3QHB5BOW5IU8O167301429905081GSMV24XXWJE7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "B1WS3I0Y185QMG2216730142990506H79UEIVVT5OAL"
}
]
},
{"rule_definition_id": "JN9TX7X3J9POQFUE16730142990500KJM1OM25FERY9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ServicePortOffline)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FUG7XVSPI6A1C32V1673014299050NU2WF77G8AWQOM"
}
]
},
{"rule_definition_id": "UA13XO0SHAUCT7JI1673014299050H0T6OHTHMWRI57",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FUG7XVSPI6A1C32V1673014299050NU2WF77G8AWQOM"
}
]
},
{"rule_definition_id": "NN8YC262ICN7E6YW1673014299050AX0NC0DRRH3X36",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SuspiciousIPAddress)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JAK11MGUEDIV0Y8E1673014299050RC7PWO6TYK2SNK"
}
]
},
{"rule_definition_id": "JC9NNMDAHC30T5W01673014299050GSLQJPDJ3SXGHP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JAK11MGUEDIV0Y8E1673014299050RC7PWO6TYK2SNK"
}
]
},
{"rule_definition_id": "HBULUYX8BKP8SUKM16730142990507ISY0GHKWBK9WY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(LostConnectionToSAFForwarder)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "U8VFD9NFOL0RIEOO1673014299050BSSCW7W7U3IOIU"
}
]
},
{"rule_definition_id": "CDPMEDMJDPC9SAGV1673014299050875TB91SBC915N",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "U8VFD9NFOL0RIEOO1673014299050BSSCW7W7U3IOIU"
}
]
},
{"rule_definition_id": "OD8SRNAK1NFALSP81673014299050GRWVQHVRYKH6LY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SAFForwarderError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XUAT7T6C5GEUMEBM1673014299050S37PAKNK39ILOQ"
}
]
},
{"rule_definition_id": "YXBOIGGPU4QO8P8O1673014299050R8LG98FO3DXN66",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XUAT7T6C5GEUMEBM1673014299050S37PAKNK39ILOQ"
}
]
},
{"rule_definition_id": "L5NRGUK7SNMCQ6DJ1673014299050DA2BPOP3KGDFVO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SAFUnknownService)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CH6N387PNAS0R91B1673014299050LVFHA87TRUI6I1"
}
]
},
{"rule_definition_id": "HWAT3P6VRR5H66381673014299050LS55VOIIUMA7B3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CH6N387PNAS0R91B1673014299050LVFHA87TRUI6I1"
}
]
},
{"rule_definition_id": "RII0P5YKIK2ICGMB1673014299050OT43V8908LEP6D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SAFPublishRevoke)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "YMKJRLWGR5EUX5741673014299050N44NR7NJC1NK8L"
}
]
},
{"rule_definition_id": "E5IGG0BV5FBWPFA51673014299050NFCXVVA3HK5DOL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YMKJRLWGR5EUX5741673014299050N44NR7NJC1NK8L"
}
]
},
{"rule_definition_id": "DVOSO7P90UPLMQ8W1673014299050RFXHY1DOSQB9XW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(SAFResponderError)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JHJS6G6JMV15CO2M1673014299050B6T06TALROWAJ1"
}
]
},
{"rule_definition_id": "JD88RJ68REQWEUGD1673014299050LR32COAOVARXVM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JHJS6G6JMV15CO2M1673014299050B6T06TALROWAJ1"
}
]
},
{"rule_definition_id": "X3O5MW8W8UH5AJVU1673014299050IASLUU5SYXMONJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DuplicateLearnedPattern)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "NKDPJS2KVO3WQS0A1673014299050GCLTSY5XD9D3XW"
}
]
},
{"rule_definition_id": "Y9GH9V5TYWWSBNHG1673014299050XC03YH2M0PYA4M",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NKDPJS2KVO3WQS0A1673014299050GCLTSY5XD9D3XW"
}
]
},
{"rule_definition_id": "H68PPCY5PL2NRCHL1673014299050NTXD3E02POQ419",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CCDIPReachableTimeOut)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "STIJTYUJMF11YWCT16730142990508D4VYTJ9I74CPP"
}
]
},
{"rule_definition_id": "UFVX8S72LIHNRABS1673014299050P7P1X8M36JLO9G",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "STIJTYUJMF11YWCT16730142990508D4VYTJ9I74CPP"
}
]
},
{"rule_definition_id": "BI6TMTPC5X33BCKX1673014299050X49JE1548PO3HC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CCDPSTNFailOverDurationTimeOut)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WTCLK8FOH52CJM4F1673014299050ITD1VBYFOGEJ65"
}
]
},
{"rule_definition_id": "LW34EE6X9V9EETT91673014299050M1B3U5D6U57PLV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WTCLK8FOH52CJM4F1673014299050ITD1VBYFOGEJ65"
}
]
},
{"rule_definition_id": "HD75IO02AWXSSGM416730142990505QL9DWXF7Q75O4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CCDLearnedPatternLimitReached)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "HGRD12EMQDFQINVJ1673014299050FBHW38E8CTFMK9"
}
]
},
{"rule_definition_id": "XWU10HK84XP3ER0Y1673014299050SCDR9BDRA36US5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "HGRD12EMQDFQINVJ1673014299050FBHW38E8CTFMK9"
}
]
},
{"rule_definition_id": "LKMNV6CIY3BH578J1673014299050AO0T7AQJ1ICRM1",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DbInsertValidatedDIDFailure)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "SCP2BJ8EB8YU567C167301429905027PRQRJBQ9IYHO"
}
]
},
{"rule_definition_id": "S2MPEUV97DWLF5F516730142990502VOULAY2OPPE34",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SCP2BJ8EB8YU567C167301429905027PRQRJBQ9IYHO"
}
]
},
{"rule_definition_id": "IREJXDHC95H7YQ881673014299050NUFACOXXG2J1VN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(TCPSetupToIMEFailed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X1WNT1V8XISI3TS91673014299050MP55M8KRCJTDSP"
}
]
},
{"rule_definition_id": "LJU5XLKUPGW9MVA21673014299050UUOG5T3HCQAWME",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "X1WNT1V8XISI3TS91673014299050MP55M8KRCJTDSP"
}
]
},
{"rule_definition_id": "BF3SMGMK78VMXQ2O1673014299050HQYFWPWQGYWBYP",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(TLSConnectionToIMEFailed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "NEYTB6YR8CSEILKM1673014299050XGF4TMJHF8VNQM"
}
]
},
{"rule_definition_id": "W1QO96JL2BPYFA761673014299050JTE8GOTHDF9GUU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NEYTB6YR8CSEILKM1673014299050XGF4TMJHF8VNQM"
}
]
},
{"rule_definition_id": "M6H4REK38WN55DGO1673014299050CPQHBUVIPUDN10",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(InvalidCredentials)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JN0033I8RAB31E6P1673014299050HYJK5EPIXK0CC7"
}
]
},
{"rule_definition_id": "OYXM4HRKKROLADTA1673014299050OARHQP70DPVQII",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JN0033I8RAB31E6P1673014299050HYJK5EPIXK0CC7"
}
]
},
{"rule_definition_id": "L3EJN32GH23P5IOK1673014299050C2OTBTKIUDEQYI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(IMEOverQuota)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "OB56SFCEO155NTVX1673014299050Q2NXF2H8IOI6A4"
}
]
},
{"rule_definition_id": "LSBVGHXNE1YVGKF41673014299050KAKVWFDMWK3HFB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "OB56SFCEO155NTVX1673014299050Q2NXF2H8IOI6A4"
}
]
},
{"rule_definition_id": "KPFAQQARTJQBA29L167301429905071GJK6XUAU8738",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PublishFailedOverQuota)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "HXC4P3BHY9A4BP791673014299050XGECPFYJL08PUR"
}
]
},
{"rule_definition_id": "L1BBKLS3WMXO2SND1673014299050E3NN5F3OOU32S3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "HXC4P3BHY9A4BP791673014299050XGECPFYJL08PUR"
}
]
},
{"rule_definition_id": "D5Q229I5NNA9W9RT1673014299050K4A3JLY8XPU26T",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PublishFailed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "K6KXHFTJLOB4SLYL1673014299050BDJG63EY6WJ2C7"
}
]
},
{"rule_definition_id": "NRJJA6UE4GCJUCWV1673014299050UWNKJDUC5080PJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "K6KXHFTJLOB4SLYL1673014299050BDJG63EY6WJ2C7"
}
]
},
{"rule_definition_id": "LUT6XJ37C39GBNLN1673014299050VN12VYKRXQFYUT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(IMEDistributedCacheInactive)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "I6BVKYS1AFVSHAAC16730142990505KGLKA8AI30VJT"
}
]
},
{"rule_definition_id": "WO5V3VXSVBF1BBWX1673014299050KA9T8PBKUNAKRG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "I6BVKYS1AFVSHAAC16730142990505KGLKA8AI30VJT"
}
]
},
{"rule_definition_id": "W55GM41NRSBKXPO516730142990500P1M3H8HTCGIPM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RejectedRoutes)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "RLM13RN0KRV7UJBS1673014299050TAACU5XP4NVTTS"
}
]
},
{"rule_definition_id": "K2FB4LTWBIF0TQR016730142990500FFVFVX9INAN9P",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "RLM13RN0KRV7UJBS1673014299050TAACU5XP4NVTTS"
}
]
},
{"rule_definition_id": "IYW6K2AVK2SKJG1E1673014299050N10N9A0GHXVR4V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(PublicationRunCompleted)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "XSKQ6S0DIPRTI86U1673014299050NLBMJ0Y7WV8RCJ"
}
]
},
{"rule_definition_id": "EJ85RIJKXP1A6YXW1673014299050WNNEPOQHG8EHRG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "XSKQ6S0DIPRTI86U1673014299050NLBMJ0Y7WV8RCJ"
}
]
},
{"rule_definition_id": "IG3TM9TEVU10NWXP1673014299050K0OUOMDSLAVWHM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RouteRemoved)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MT04I30ACQI29W841673014299050WWK9MUAMT4WX2Y"
}
]
},
{"rule_definition_id": "FXEX4VWX8LI5SMI21673014299050XH0HBB9HUFR1WC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MT04I30ACQI29W841673014299050WWK9MUAMT4WX2Y"
}
]
},
{"rule_definition_id": "AO8QND34JUD3RGYK1673014299050M89XF0LOWA10KB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(InsufficientFallbackIdentifiers)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "DBNCPE8HRNRRLTUB1673014299050R3KDKSBMMX5W29"
}
]
},
{"rule_definition_id": "PICA83YKBRNHG4GQ16730142990500DCTI9CG1QESQ8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "DBNCPE8HRNRRLTUB1673014299050R3KDKSBMMX5W29"
}
]
},
{"rule_definition_id": "GSGS51VWT9S7FRJD1673014299050QVY2E89N8K1710",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(IMEQualityAlertEntry)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "V86WK3QVC225G80V16730142990507H29ELS88LRMOE"
}
]
},
{"rule_definition_id": "EDB9K2X1OV1UGOB11673014299050DKKJIJJ025JB8R",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "V86WK3QVC225G80V16730142990507H29ELS88LRMOE"
}
]
},
{"rule_definition_id": "TFD6NITAMINSJK7316730142990503ESJQ833589NQJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(IMEQualityAlertExit)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "SX0QRG81SP24WVAA1673014299050E132RDJXX21J51"
}
]
},
{"rule_definition_id": "RYV2O7O8DW4L28F91673014299050R2BXOK6YB6IN70",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SX0QRG81SP24WVAA1673014299050E132RDJXX21J51"
}
]
},
{"rule_definition_id": "GTYG6W7XH63MM23X167301429905099MBIUYYF0SJRV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(InvalidSubscription)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "F3CQA6BYDJREVTET1673014299050I04FATK1CIE125"
}
]
},
{"rule_definition_id": "POTANEKFD6MY5TOG1673014299050W59FIXJ3G1569Q",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F3CQA6BYDJREVTET1673014299050I04FATK1CIE125"
}
]
},
{"rule_definition_id": "RIM605VRF9SWFROJ16730142990505XEYQQPLUBLY2K",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(FirewallMappingFailure)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "GO168H1DVNUPAT5P16730142990503JIKWBOQ2CHJWA"
}
]
},
{"rule_definition_id": "RXENHXUG75EM5O3V16730142990507HLP3CXC1U951D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GO168H1DVNUPAT5P16730142990503JIKWBOQ2CHJWA"
}
]
},
{"rule_definition_id": "VDAE5T8HP1QGPE9R1673014299050EM3HSWC6GCA9G0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ConflictingDataIE)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "K8F0YS7SGB3AV2D21673014299050QXKHR0B3S0LL46"
}
]
},
{"rule_definition_id": "FSCHF5RWKRSVE8H716730142990505JFL7H66AVTWVU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "K8F0YS7SGB3AV2D21673014299050QXKHR0B3S0LL46"
}
]
},
{"rule_definition_id": "CWGYL1NVGPJWAAL31673014299050DXIDGSUWYE9KSY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CalledPartyTracing)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WOOK6UGOCKE1GDUU1673014299050SIMJ0MLBFYSP8V"
}
]
},
{"rule_definition_id": "N7YLWM4YAFE8AMJI1673014299050JOF1SDF5HQ1WGQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WOOK6UGOCKE1GDUU1673014299050SIMJ0MLBFYSP8V"
}
]
},
{"rule_definition_id": "PCXQPFNWHBW21K0F1673014299050HMV5CCTQAM7GBK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(DestinationCodeControlCallBlocked)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "DEJ5MNUJ9NUSYWF71673014299050Q7INMFBIDUXWYT"
}
]
},
{"rule_definition_id": "XHQA32AMDE89G8KC1673014299050ORS40LQ0REB1UR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "DEJ5MNUJ9NUSYWF71673014299050Q7INMFBIDUXWYT"
}
]
},
{"rule_definition_id": "LCYD7TDMFNC7NMNK1673014299050OP3N3B77GF71VK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CorruptedIncomingDMPropagationMessage)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "NLC2XL9GMAP3PYPV1673014299050UF9B31HB3ND8EQ"
}
]
},
{"rule_definition_id": "FUDSTNM5HLHYBY68167301429905082G4S4TMECULYH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NLC2XL9GMAP3PYPV1673014299050UF9B31HB3ND8EQ"
}
]
},
{"rule_definition_id": "HAGK4B6AI8U9T6041673014299050DSINQH7FTJ5YX9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(UnEncryptedCallBlocked)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "PJ3LXJOJ4HF9C29O1673014299050MP2RR7WKJGABDE"
}
]
},
{"rule_definition_id": "MNJB519IFP2MWLQJ1673014299050KDD7DU0IJ0SK4B",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "PJ3LXJOJ4HF9C29O1673014299050MP2RR7WKJGABDE"
}
]
},
{"rule_definition_id": "KYYWOO8EYB9KA4DD1673014299050T1DARH3THJBO65",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewayRegistrationRejected)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "KR9P7TLS2MEMJ3GO1673014299050A4N8FW8141UH3A"
}
]
},
{"rule_definition_id": "KSCIDWH1K9UNMT221673014299050G97O70H45T16GE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "KR9P7TLS2MEMJ3GO1673014299050A4N8FW8141UH3A"
}
]
},
{"rule_definition_id": "DN231JXPQFN4VV5Q1673014299050JS78HVIK10KN6M",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewayRegistrationTimeout)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "WERSTH6NC0EEYFWB1673014299050UDGMVANTCOK82F"
}
]
},
{"rule_definition_id": "USV4UG2NVOIBQ5YQ1673014299050K1SP7OIYTWEWU5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WERSTH6NC0EEYFWB1673014299050UDGMVANTCOK82F"
}
]
},
{"rule_definition_id": "IV6D78DB0VG2Y0KU1673014299050HRWY1FL95T637A",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewayOutOfService)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "FBLG1F61ENU3MJT01673014299050T90O0OE0AJCII0"
}
]
},
{"rule_definition_id": "D2P0WBPHMQAYOVW71673014299050RUBSJXES7OMHQ6",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FBLG1F61ENU3MJT01673014299050T90O0OE0AJCII0"
}
]
},
{"rule_definition_id": "R9X7FBDLWPXLIDPH1673014299050QQ40H9S2B9FM5M",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewayInService)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "I4JCLUQFQQI4KK8Y1673014299050E1DRR7MOT2M55J"
}
]
},
{"rule_definition_id": "DCCCCTA27SHQEX3D1673014299050H4I2NL50ALBQD9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "I4JCLUQFQQI4KK8Y1673014299050E1DRR7MOT2M55J"
}
]
},
{"rule_definition_id": "I15UNTRCTC9X5LND1673014299050SJXVAQTUTJ312G",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingGatewaySessionFailed)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MXT9J0JN40KEC7KM1673014299050UDJKF1RGBQFDKQ"
}
]
},
{"rule_definition_id": "T9UDYMXXP2C40YCH167301429905019OC9NSWEXKTXM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MXT9J0JN40KEC7KM1673014299050UDJKF1RGBQFDKQ"
}
]
},
{"rule_definition_id": "MDIXLV6Q3MUB10J21673014299050LFNEAHGAO5E3R2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingCallSetupFail)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "UJ4XR236UDKJW1AT1673014299050C8XWMPR31301A9"
}
]
},
{"rule_definition_id": "NDMSOOVUF2HWLMCH1673014299050C9WKBTKFB6U7X9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "UJ4XR236UDKJW1AT1673014299050C8XWMPR31301A9"
}
]
},
{"rule_definition_id": "H48XMD9DN2EWS79416730142990505RXB4D2LCSLYRM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingResourcesNotAvailable)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "CGPQKESH7UMUJ1XF1673014299050ORB5QI8IK0WYU2"
}
]
},
{"rule_definition_id": "KBH14F80CGKPFEK81673014299050LK22E4AOVJEQG9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CGPQKESH7UMUJ1XF1673014299050ORB5QI8IK0WYU2"
}
]
},
{"rule_definition_id": "CQ4KJUT21FQ149QG167301429905044FG256SKXNGIA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingInvalidCallState)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "D9L856OY32XB6JM91673014299050N3Y067LG4080CI"
}
]
},
{"rule_definition_id": "TEDAN3GX8BFVXE5R1673014299050EXP7RX3E5L9FA7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "D9L856OY32XB6JM91673014299050N3Y067LG4080CI"
}
]
},
{"rule_definition_id": "ARUWQK0KQULXS6E51673014299050J9G1FTNP3GT2AW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingAlreadyInProgress)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "O3K2KRJ77BPTS9AC1673014299050L3BVL1MDBGMM97"
}
]
},
{"rule_definition_id": "J8JLLKPQAEGSNWVX1673014299050B81OS2W9FBUUPR",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "O3K2KRJ77BPTS9AC1673014299050L3BVL1MDBGMM97"
}
]
},
{"rule_definition_id": "DC0F7TJ0MJEJSD3R1673014299050EXXH06UG2GCSV3",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(RecordingSessionTerminatedUnexpectedly)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JSHQYO69MY6RYMAF16730142990503EYLNEUIDJPY5L"
}
]
},
{"rule_definition_id": "FGDHF9SVR7DUW5HH1673014299050D5RRCDT3DGKXJJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JSHQYO69MY6RYMAF16730142990503EYLNEUIDJPY5L"
}
]
},
{"rule_definition_id": "PD4PC9XLXEBH9VGU1673014299050P3OD6VVJK5NOWT",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(ILSDuplicateURI)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "UFRKTXSA78GOVYIX1673014299050OIEXHHDEGB7PQ1"
}
]
},
{"rule_definition_id": "L4PV7X7GUB3A49851673014299050HF7YYLP08ELARY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "UFRKTXSA78GOVYIX1673014299050OIEXHHDEGB7PQ1"
}
]
},
{"rule_definition_id": "PDH6IU36MBWIN8GU1673014299050B2OEP1SQRI0E7C",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallingNumberNotConfiguredOnCallingDevice)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "JYN9NFQW5OR7TGFS1673014299050JVF6F44PUU4970"
}
]
},
{"rule_definition_id": "RAMOHQ802PSWH4CG1673014299050WRSWD8CCCN0RDF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "JYN9NFQW5OR7TGFS1673014299050JVF6F44PUU4970"
}
]
},
{"rule_definition_id": "KK20Y49PLTKTRGPI1673014299050KFV21PFKCI3NTX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(CallingLineNumberInconsistenciesCorrected)",
"description": "Alarm Name",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MLWPQ3ERH9YJ5LGF16730142990509JLXCCYJACMCL1"
}
]
},
{"rule_definition_id": "MW0XB16WCEIN03VV1673014299050OXW86JS0SFGPI8",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*)",
"description": "Event Message",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MLWPQ3ERH9YJ5LGF16730142990509JLXCCYJACMCL1"
}
]
},
{"rule_definition_id": "LG1BMX1HPKC99M2S1673014009480QH4R1YABQTP2NF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "(DChannelOOS)",
"description": "Type",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "PWWIW1OYNXH5OOV516730139740667UBU6AJXIDX6P5"
}
]
},
{"rule_definition_id": "J7Y63YMH3QCLJS5N1673014025102AW1X0URLGVP3B4",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "%UC.*?:\\s(.*?)$",
"description": "Details",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "PWWIW1OYNXH5OOV516730139740667UBU6AJXIDX6P5"
}
]
},
{"rule_definition_id": "YC00TF2KXN2R8M3B1630697104760BATKKJ5F0G4LPX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(trapCtrlName:(.*?)\\s,)",
"description": "trapCtrlName",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "MY2X859VR22GNOT81630697064451O9FGS3N8JPP28X"
}
]
},
{"rule_definition_id": "TDEIW40Q6EK2W8NY1630697136789JO32Y2QQHD81LD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(trapCtrlSerialNum:\"(.*?)\")",
"description": "SerialNum",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "MY2X859VR22GNOT81630697064451O9FGS3N8JPP28X"
}
]
},
{"rule_definition_id": "AC01WY0SJJNLJYH61630697151047GX620SC2I5PHKD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "trapSeverity:(major)",
"description": "Severity",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "MY2X859VR22GNOT81630697064451O9FGS3N8JPP28X"
}
]
},
{"rule_definition_id": "E1JX243S6CBYV0VA1630697394664SFORDIF293DCCM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(trapCtrlName:(.*?)\\s,)",
"description": "trapCtrlName",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "L59R7FDQWNP0LTJH16306973946643BIDMN6QCMNMGW"
}
]
},
{"rule_definition_id": "WA2W1W2ARHTJKM4C16306973946654JCO9VU22A43SM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(trapCtrlSerialNum:\"(.*?)\")",
"description": "SerialNum",
"is_token": 2,
"correlation_rules": [{"correlation_rule_id": "L59R7FDQWNP0LTJH16306973946643BIDMN6QCMNMGW"
}
]
},
{"rule_definition_id": "KAPRPS2WK0VX5WWX1630697394665VXNNC3LBE4BHTK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "trapSeverity:(notify)",
"description": "Severity",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "L59R7FDQWNP0LTJH16306973946643BIDMN6QCMNMGW"
}
]
},
{"rule_definition_id": "C2UVP4WGRBSGT7TN1553092689941B9UEIJR69FR4CQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "DEV8KHX8M3NT1W4J1553090841127Q2IIHOMRWA52X3"
}
]
},
{"rule_definition_id": "I4XP57B0KB867EY715530927123955LXOOWEESTU2MU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsTestAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "DEV8KHX8M3NT1W4J1553090841127Q2IIHOMRWA52X3"
}
]
},
{"rule_definition_id": "WWONCCMY4JEINQWI15530928556765P8B9K8SM9AGX9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "DEV8KHX8M3NT1W4J1553090841127Q2IIHOMRWA52X3"
}
]
},
{"rule_definition_id": "BA30QNOVAN1PM7TK1553093329119BGCKLOU1HOA0SQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "RN4NMGPCH2OUCMIP1553093329119954H6RHPV9RJWM"
}
]
},
{"rule_definition_id": "W25JKDLFUBGMI5FP1553093329119F43HJ87HQV52SH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsTestAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "RN4NMGPCH2OUCMIP1553093329119954H6RHPV9RJWM"
}
]
},
{"rule_definition_id": "J2VJQL6PA6GLGR1415530933291195PWV1HS5U3Q250",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "RN4NMGPCH2OUCMIP1553093329119954H6RHPV9RJWM"
}
]
},
{"rule_definition_id": "QFKJ8AVVDQROJW3315530964875113UUGGD5MI4JOV2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "HCHU6FWIVSVWMPFC1553096487511HCEJW5J0E0U75L"
}
]
},
{"rule_definition_id": "DJP885VWIT41648K1553096487511GVLRBMRD25NEI9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEsAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "HCHU6FWIVSVWMPFC1553096487511HCEJW5J0E0U75L"
}
]
},
{"rule_definition_id": "SAFLBTOBTNRMO08E1553096487511KAGLXDY94RHVJE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "HCHU6FWIVSVWMPFC1553096487511HCEJW5J0E0U75L"
}
]
},
{"rule_definition_id": "B1UI3N0PLF3LR2EN15530965641123PRQLPHOY50CU7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "X4R2XVXUBVEP88O415530965641123HQ7959OLMSATL"
}
]
},
{"rule_definition_id": "IQWQ8W6G2428EPOP1553096564112LDK78D49M1KDLE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEsAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "X4R2XVXUBVEP88O415530965641123HQ7959OLMSATL"
}
]
},
{"rule_definition_id": "KIC4SXK4BS14JHIH1553096564112WSHOOLCTMW8LVA",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "X4R2XVXUBVEP88O415530965641123HQ7959OLMSATL"
}
]
},
{"rule_definition_id": "OWY6W4YQONLH0NUW1553096612734SLS2KTBGYV2MXS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "S5VRRQR13B7VUL0D1553096612734IT5XKEG94KTQYR"
}
]
},
{"rule_definition_id": "W8M8YOAQY0SUSYAV1553096612734S205D9FIF27VVH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsLinkAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "S5VRRQR13B7VUL0D1553096612734IT5XKEG94KTQYR"
}
]
},
{"rule_definition_id": "AJ91CP4BNI77C81N15530966127348TMVRMP1WFGN35",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "S5VRRQR13B7VUL0D1553096612734IT5XKEG94KTQYR"
}
]
},
{"rule_definition_id": "X4Q6F0W9W06419I3155309664786985X2X5J0NND9FS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "C7HOCBMDN65DDYG71553096647869N8I791BWLATL9S"
}
]
},
{"rule_definition_id": "NVQPRBPI1950GULS1553096647869WI1CUT072CJA03",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsLinkAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "C7HOCBMDN65DDYG71553096647869N8I791BWLATL9S"
}
]
},
{"rule_definition_id": "PYK4WHH27Q9P047G1553096647869OULD8DTVLV8LDS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "C7HOCBMDN65DDYG71553096647869N8I791BWLATL9S"
}
]
},
{"rule_definition_id": "BDIT89SR4HDMNVYI1553096699989UV2NTUWLVOB1YN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "SL5AHFDQURGP3G1D1553096699989N5UDVT79A1NN1A"
}
]
},
{"rule_definition_id": "VW49PMUBVYTP1CUN15530966999890YDOYKH9YLFV9T",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsArchAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "SL5AHFDQURGP3G1D1553096699989N5UDVT79A1NN1A"
}
]
},
{"rule_definition_id": "SXJC5KRFUYRWA6X91553096699989IM0FJHXLHRVWKH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SL5AHFDQURGP3G1D1553096699989N5UDVT79A1NN1A"
}
]
},
{"rule_definition_id": "T071KA1HO8437L7L1553096746091EJNOF6PQXLIL0T",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "I721MO4S27FY295L1553096746091SSPW6TO8921TIK"
}
]
},
{"rule_definition_id": "XCS1QRQJ529G0KAP15530967460912TE5YN6RUJSFVJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsArchAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "I721MO4S27FY295L1553096746091SSPW6TO8921TIK"
}
]
},
{"rule_definition_id": "XMDA9AT9VVHBACLW1553096746091R94YS96Y4F3PQW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "I721MO4S27FY295L1553096746091SSPW6TO8921TIK"
}
]
},
{"rule_definition_id": "FA02T2Q112NJK5KF1553096784825RUIV5GP3IAMEVE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "Y8F8LS2DFIDH9VQC155309678482550SQXNIC462G66"
}
]
},
{"rule_definition_id": "RW54VHKN3QR7T4Y515530967848256WBS5D4DEPTUHW",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsDiskErrAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "Y8F8LS2DFIDH9VQC155309678482550SQXNIC462G66"
}
]
},
{"rule_definition_id": "AUX1LEJP9CLGAY1R1553096784825L34M31PLI8MW1D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "Y8F8LS2DFIDH9VQC155309678482550SQXNIC462G66"
}
]
},
{"rule_definition_id": "MX5GK6D0AT9FQFXG1553096951796PWD8NRLL9D8SL2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "CVU9N3W923NTF9J61553096951796WRORO9UFEVPT5F"
}
]
},
{"rule_definition_id": "KPAX9UVMGWV9SR4G1553096951796J3CNVOHI5ETI9D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsDiskErrAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "CVU9N3W923NTF9J61553096951796WRORO9UFEVPT5F"
}
]
},
{"rule_definition_id": "VNDB4BNSHEBESMHF1553096951796X6257NHLN6RJ27",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "CVU9N3W923NTF9J61553096951796WRORO9UFEVPT5F"
}
]
},
{"rule_definition_id": "GUPXYJ1J7P64GTHB15531037458057COHB0KF9PBL3Y",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "K160QEY8YLTO3W2X1553103745805ETVT2V47TROVF4"
}
]
},
{"rule_definition_id": "B34RLKS55UV1GBO115531037458055EHEPR8UGJI9WQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEchWarnAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "K160QEY8YLTO3W2X1553103745805ETVT2V47TROVF4"
}
]
},
{"rule_definition_id": "VBGL5C97B75D8QPU1553103745805H6XEXJQPO8VPYK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "K160QEY8YLTO3W2X1553103745805ETVT2V47TROVF4"
}
]
},
{"rule_definition_id": "WXQX9NB993AGSXV31553103850644HHXI09HMO53CVH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "RJ74LN78UBAJQUVS15531038506449E56E8FYQYCUBE"
}
]
},
{"rule_definition_id": "KV8LMNMRR5OAGJBX1553103850644DVONQVRCGQI0PC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEchWarnAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "RJ74LN78UBAJQUVS15531038506449E56E8FYQYCUBE"
}
]
},
{"rule_definition_id": "PJTPNCOX8MAJN71E1553103850644D4YQEDN574UAMG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "RJ74LN78UBAJQUVS15531038506449E56E8FYQYCUBE"
}
]
},
{"rule_definition_id": "NY3S2MQW6LG0BXU11553103894271WE5E9JKD0FECUK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "MG8L0R2GQVQB829O1553103894270PA5PWYNQXL5NPH"
}
]
},
{"rule_definition_id": "EVPU5QR4VCNYW7UO1553103894271QC2D2ML9MEKHXY",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEchFailAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "MG8L0R2GQVQB829O1553103894270PA5PWYNQXL5NPH"
}
]
},
{"rule_definition_id": "A561R9YN3709H80W15531038942710LMDPYDIPBTX80",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "MG8L0R2GQVQB829O1553103894270PA5PWYNQXL5NPH"
}
]
},
{"rule_definition_id": "S2ILOULUPUOX0UC21553103942173TG9U16DQ8UFOJ0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "FW2IV29XRW9RV34V1553103942173FFNX2RGFG9HCR2"
}
]
},
{"rule_definition_id": "WETY9YPOXSPD8JYD1553103942174AW5WOS2TSOSEPF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsEchFailAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "FW2IV29XRW9RV34V1553103942173FFNX2RGFG9HCR2"
}
]
},
{"rule_definition_id": "HVE7PBBKTOJQYMSV15531039421749O3P2H1YD9RMFH",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FW2IV29XRW9RV34V1553103942173FFNX2RGFG9HCR2"
}
]
},
{"rule_definition_id": "VJPW0R7YBXD1OJYU1553106646610ARYTI4EKN94WON",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "OJ3GSPY6JAD2DKTV155310664660944SQWMNH3C1P1E"
}
]
},
{"rule_definition_id": "EDHW2N4GTUJ4I15K1553106646610W1S0MEHEHE7UXE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsSurvAlarm)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "OJ3GSPY6JAD2DKTV155310664660944SQWMNH3C1P1E"
}
]
},
{"rule_definition_id": "KLJLEPYN4N4RT15315531066466118N3V9YRDLR1JEQ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "OJ3GSPY6JAD2DKTV155310664660944SQWMNH3C1P1E"
}
]
},
{"rule_definition_id": "GMTY4FCVV4WJADTK1553106687040VN02YDUMKH02GS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "YI5WX28DT7RICKET1553106687040WQ5JNUFI81CVUO"
}
]
},
{"rule_definition_id": "V198PWL6YRLQQMV71553106687040GETFS29DS11OUE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsSurvAlarmClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "YI5WX28DT7RICKET1553106687040WQ5JNUFI81CVUO"
}
]
},
{"rule_definition_id": "M3M77ENWQF31GONX1553106687040EYDDSC95LPEH93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "YI5WX28DT7RICKET1553106687040WQ5JNUFI81CVUO"
}
]
},
{"rule_definition_id": "UEHCF4GY65HJA6DX155310671003687203VP5N69I7Y",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "F3796UFL7K20XBHT15531067100353RV0FE6IN07A9Y"
}
]
},
{"rule_definition_id": "DNV6XMRLYA8LNRXL1553106710036P19BAJOHM8XKIX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsDiskWarn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "F3796UFL7K20XBHT15531067100353RV0FE6IN07A9Y"
}
]
},
{"rule_definition_id": "LJWEG7S3SMA6SSQ31553106710036233P1UBYPQ7O93",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "F3796UFL7K20XBHT15531067100353RV0FE6IN07A9Y"
}
]
},
{"rule_definition_id": "PXGWUWQQ41EQ2PUL1553106788707ELS9JG939LC9CM",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "FC6V6T9WFIHTJUUP1553106788707MOCDT7S4CFRQCH"
}
]
},
{"rule_definition_id": "UPVID0L5F4MCFJMG1553106788707HB2LGXQN6YO9G0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsDiskWarnClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "FC6V6T9WFIHTJUUP1553106788707MOCDT7S4CFRQCH"
}
]
},
{"rule_definition_id": "H9O74ENS3A1PBSIE15531067887078Q9R9OA6TCH43O",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "FC6V6T9WFIHTJUUP1553106788707MOCDT7S4CFRQCH"
}
]
},
{"rule_definition_id": "VCCJYNOE3APK3DDM1553106963058AD5DHJAXYJHTYJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "GLVLCGK05LP0GTHM15531069630581CSYV6D0J74927"
}
]
},
{"rule_definition_id": "W87BRO24XG4DT9WT1553106963059VI1403EVTNI6JV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBatteryErr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "GLVLCGK05LP0GTHM15531069630581CSYV6D0J74927"
}
]
},
{"rule_definition_id": "HYFO7RTX0EC2KEOL15531069630592BLNF7M74D3ALF",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "GLVLCGK05LP0GTHM15531069630581CSYV6D0J74927"
}
]
},
{"rule_definition_id": "MCYEI0NRS67OEH4Y155310703394445GN2XQMEC3THK",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "BPAFYIHDXVHRJ1OB1553107033944P8G3UJTDIJ0V2V"
}
]
},
{"rule_definition_id": "WEWI2VA2QS4JYMP815531070339445VAU592X6WICBD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBatteryErrClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "BPAFYIHDXVHRJ1OB1553107033944P8G3UJTDIJ0V2V"
}
]
},
{"rule_definition_id": "HAI1WXUV9MBWQMFG15531070339448PL2G8W1LCHQBE",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "BPAFYIHDXVHRJ1OB1553107033944P8G3UJTDIJ0V2V"
}
]
},
{"rule_definition_id": "KB983IB1D7QW2NM415531070608655MMR661CM1V7N0",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "WSUQQ4PPES7W247D1553107060865D9EN1R7V8XVMLR"
}
]
},
{"rule_definition_id": "XYX48S3MEXW3MIS61553107060865TWJ2A4WPNTVCTD",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBatteryWrn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "WSUQQ4PPES7W247D1553107060865D9EN1R7V8XVMLR"
}
]
},
{"rule_definition_id": "X25YNAO8REIHNS411553107060866MAHNXSRW2SJ7MG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WSUQQ4PPES7W247D1553107060865D9EN1R7V8XVMLR"
}
]
},
{"rule_definition_id": "PPCAKL5AWU856QB41553107137815W3PSIHGVHLE2H2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "NVVAKBE7PDNU5WKP155310713781517KPKKHMGPK8OT"
}
]
},
{"rule_definition_id": "TYN31CJMX1K3BXM61553107137815N6CNY1DO72G3L5",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBatteryWrnClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "NVVAKBE7PDNU5WKP155310713781517KPKKHMGPK8OT"
}
]
},
{"rule_definition_id": "H429ML0CNVDB7VDN15531071378150IAKLIKXCVJCEL",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "NVVAKBE7PDNU5WKP155310713781517KPKKHMGPK8OT"
}
]
},
{"rule_definition_id": "OT6AWLWK4CIA27U61553107288812T8LO3HWL95590D",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "S86E1NGS89KKG36W1553107288812O3FMMAY2RWQ5BM"
}
]
},
{"rule_definition_id": "KN6MS9H620PH804O1553107288812GGTHR2OXJXPAXX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsRaidErr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "S86E1NGS89KKG36W1553107288812O3FMMAY2RWQ5BM"
}
]
},
{"rule_definition_id": "XDH26W0QJQ24S6FB1553107288812PN17J0PX218YBN",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "S86E1NGS89KKG36W1553107288812O3FMMAY2RWQ5BM"
}
]
},
{"rule_definition_id": "WH5KO8PLU18OW64K15531073412258WHFMNART8BT7J",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "EVSX48HCDRMXUEXO1553107341225OYHKY8E984FUN7"
}
]
},
{"rule_definition_id": "U6PR8278C1D5XKQG155310734122672GSGEDKO2IFFG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsRaidErrClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "EVSX48HCDRMXUEXO1553107341225OYHKY8E984FUN7"
}
]
},
{"rule_definition_id": "IJJI3VVB4W2NRSCQ1553107341226DV1U0RKT1O1ODJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "EVSX48HCDRMXUEXO1553107341225OYHKY8E984FUN7"
}
]
},
{"rule_definition_id": "EAQJISMDD15K01CA1553107387857Y2NK3S9QVHKJSB",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "SKIN4RUGPE1NUMEW1553107387857V7N3J0CEIAWEQY"
}
]
},
{"rule_definition_id": "CDBCJ6GUREXVG0WY1553107387857KN7Y1MURBW7E8V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsRaidWrn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "SKIN4RUGPE1NUMEW1553107387857V7N3J0CEIAWEQY"
}
]
},
{"rule_definition_id": "HMD884J5HY91F1A31553107387857Y0968OKCLC5HOI",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "SKIN4RUGPE1NUMEW1553107387857V7N3J0CEIAWEQY"
}
]
},
{"rule_definition_id": "MVOBQ5JLJDJBHGKM1553107435061DE1U46CD7E8JOS",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "WT28PSKM0F37J3KI1553107435061D05E25PSUB3RSK"
}
]
},
{"rule_definition_id": "ERPDW82BYBHT9FDY1553107435061QHUOOIES1CJEXG",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsRaidWrn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "WT28PSKM0F37J3KI1553107435061D05E25PSUB3RSK"
}
]
},
{"rule_definition_id": "XHHTMKHF1P333F8215531074350619T857Y58XRCQ6F",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "WT28PSKM0F37J3KI1553107435061D05E25PSUB3RSK"
}
]
},
{"rule_definition_id": "GS8SJ132UE8XBOIE1553107493156NG2FXWEAS0FH4N",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "M5KPFA0LPB109AD61553107493156I1S5KF2UIBDYY7"
}
]
},
{"rule_definition_id": "MXDL6Q3IMID9K5H51553107493156ITNSKDIS63FA2V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBackWrn)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "M5KPFA0LPB109AD61553107493156I1S5KF2UIBDYY7"
}
]
},
{"rule_definition_id": "EQJ65TVRT8YL9RVT15531074931564C9IOWRCFQ8SGO",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "M5KPFA0LPB109AD61553107493156I1S5KF2UIBDYY7"
}
]
},
{"rule_definition_id": "TO0SURG47PAO25DQ1553107527480FJYVSKJY3FVYF7",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sUDP:\\s\\[(.*?)\\]:",
"description": "Source IP",
"is_token": 3,
"correlation_rules": [{"correlation_rule_id": "PO6P2IVHDYMX8KAC1553107527480H1R00JL52AC4VL"
}
]
},
{"rule_definition_id": "OTKJCX3URF9E5VEO1553107527480OFII5YQLMTCH3I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\\sAV-CMS-MIB::(avCmsBackWrnClr)\\s",
"description": "MIB string",
"is_token": 4,
"correlation_rules": [{"correlation_rule_id": "PO6P2IVHDYMX8KAC1553107527480H1R00JL52AC4VL"
}
]
},
{"rule_definition_id": "PSP7KYNSH03GRV1H1553107527480EOX7B8A45MXS5V",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "AV-AURA-SERVICEABILITY-AGENT-MIB::avAuraServAgentNotificationLogEventId\\s=\\sSTRING:\\s\"(.*?)\"",
"description": "Notification string",
"is_token": 5,
"correlation_rules": [{"correlation_rule_id": "PO6P2IVHDYMX8KAC1553107527480H1R00JL52AC4VL"
}
]
},
{"rule_definition_id": "LKDJGKFINQOGXCOG1649357052798S3ALYT1U6NPEJ2",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(Ttest)",
"description": "Ttest",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "R15Q8AIAVTNUO40M16493569434296KC2TWA2I72P92"
}
]
},
{"rule_definition_id": "OORVLJI9DMJGXL2K1649357206377FQDIUQO7963YNU",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(Ttest:\\s(.*?):)",
"description": "ipaddress",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "R15Q8AIAVTNUO40M16493569434296KC2TWA2I72P92"
}
]
},
{"rule_definition_id": "YI5KE8DM6461MYN31649357336556HRYMEA8XMQDFEX",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(critical)\\salert",
"description": "Critical",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "R15Q8AIAVTNUO40M16493569434296KC2TWA2I72P92"
}
]
},
{"rule_definition_id": "HHR60KVRT511HIGA1669818560981F8ELY1DMIGJMSJ",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "(infinity)",
"description": "Rule1",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "AK8UDUSTHP8GD9OK16698185052255UH6PCT7L1CN66"
}
]
},
{"rule_definition_id": "CMWKANJ03FBX77D615832449801946Q2I6T00R6GL1I",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "(china)",
"description": "China Event",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "X1127YDK36797HY01583244939857N520IHQB0FRT4A"
}
]
},
{"rule_definition_id": "H2H611LC12X0JCAW1583246384519LBRHJ1EE2756IB",
"xml_tag": "SCDTS",
"pattern_name": "Regular Expression Match",
"pattern": "<METHOD>(syslog)<",
"description": "method",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X1127YDK36797HY01583244939857N520IHQB0FRT4A"
}
]
},
{"rule_definition_id": "UGILHMCH1O4G14WE1583245036182ERS36G1060DRGC",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "(Anton)",
"description": "San Anton Major Event",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "PO2855AC5A0KLKV41583244992136UN08E23MY42XE0"
}
]
},
{"rule_definition_id": "HM79ROOO7TC60G0F1583246342528GHGUICY5XH3G64",
"xml_tag": "SCDTS",
"pattern_name": "Regular Expression Match",
"pattern": "<METHOD>(syslog)<",
"description": "method",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "PO2855AC5A0KLKV41583244992136UN08E23MY42XE0"
}
]
},
{"rule_definition_id": "G04P78U3ACTQ9MFA15403086311622J9ROXFABJ442A",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "\"machine_name\"=>\"(.*?)\"",
"description": "machine_name",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "HJWLA72FHP86IIFG1540308595425K4M5K78AFUPQSP"
}
]
},
{"rule_definition_id": "E20AP61QE775RLNH16297429359817M1PW3A5NN0HHV",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match",
"pattern": "(No\\sanswer)",
"description": "No answer",
"is_token": 0,
"correlation_rules": [{"correlation_rule_id": "X0VM2YBOPTCYD5081629742897595AU9LE8PQH4JIEJ"
}
]
},
{"rule_definition_id": "L1SJQDJO9UUL16DW16297432099279Q4WNRW3CRHYSE",
"xml_tag": "RETURNMSG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "@SAME(from\\s\\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b)\\snot)",
"description": "System IP",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "X0VM2YBOPTCYD5081629742897595AU9LE8PQH4JIEJ"
}
]
},
{"rule_definition_id": "ID6HW6M7WRU0IPVP1662567644558VFPX2OWRD0DNI9",
"xml_tag": "RAWLOG",
"pattern_name": "Regular Expression Match/Extract",
"pattern": "sergey\\s(critical)\\salert",
"description": "Severity",
"is_token": 1,
"correlation_rules": [{"correlation_rule_id": "C74M32KAUK6GDDRC1662567563007ITIOC68KJV7LAL"
}
]
}
]
}

/api/v2 > profiles

Get Profiles

Authorizations:

basicAuth

header Parameters

x-lxt-api-token

string

Example: {{x-lxt-kapapi-id}}

Responses

Response samples

Content type

application/json

{"status": 200,
"message": "Success",
"data": [{"profile_id": "LXTAE3NIJH37W3C81560540110GO2KAEGK2VCOT0ATTZU99K5NXK0B37IKN02P0NF1PY9ROVA",
"asset_id": "353a60c9fa7c13b8452aa896e9d75837129ed69cffa15ec00006477bbbfdde7c",
"probe_group_id": "LXTCSP5DDP62CC6C15605400655YJJFSHNBUYC6ZU443MD4HD91QPGJ7HAYYU0VBJXO794IM3",
"enabled": 1,
"interval": 30,
"start_time": -1,
"start_weekdays": 127,
"end_window": 86400,
"failover": 0,
"assets": [{"asset_id": "353a60c9fa7c13b8452aa896e9d75837129ed69cffa15ec00006477bbbfdde7c",
"name": "Local System",
"ipaddress": "10.13.37.87",
"hostname": "touyarb-87",
"customer": "",
"site": "",
"render_type": "server",
"last_method": "",
"last_byte_time": 0,
"did": "Unknown",
"mac_address": "Unknown",
"address": "",
"version": "Unknown",
"manufacturer": "LayerX Technologies",
"timezone": "UTC",
"description": "Local Arbitrator Platform",
"comments": "",
"model": "Unknown",
"asset_groups": [ ],
"assets": [ ],
"profiles": [{"profile_id": "LXTAE3NIJH37W3C81560540110GO2KAEGK2VCOT0ATTZU99K5NXK0B37IKN02P0NF1PY9ROVA"
}
]
}
],
"credentials": [ ],
"probe_groups": [{"probe_group_id": "LXTCSP5DDP62CC6C15605400655YJJFSHNBUYC6ZU443MD4HD91QPGJ7HAYYU0VBJXO794IM3",
"name": "Local System Stats",
"description": "Probes the local Arbitrator platform for statistics.",
"profiles": [{"profile_id": "LXTAE3NIJH37W3C81560540110GO2KAEGK2VCOT0ATTZU99K5NXK0B37IKN02P0NF1PY9ROVA"
}
],
"probes": [{"probe_id": "LXTQITGJ6DFZ00TD1560539969IMRDUJMSL2DHZY4R1XC4PMPDAG6QS4OGB9L29FYWACAQNB1",
"name": "Disk Stats",
"short_message": "DISK",
"command": "get_arb_stat.sh -d",
"description": "Local System Disk Usage",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "LXTCSP5DDP62CC6C15605400655YJJFSHNBUYC6ZU443MD4HD91QPGJ7HAYYU0VBJXO794IM3"
}
]
},
{"probe_id": "LXTQITGJ6DFZ00TD1560539969IMRDUJMSL2DHZY4R1XC4PMPDAG6QS4OGB9L29FYWACAQNB2",
"name": "Memory Stats",
"short_message": "MEM",
"command": "get_arb_stat.sh -m",
"description": "Watches Memory Consumption",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "LXTCSP5DDP62CC6C15605400655YJJFSHNBUYC6ZU443MD4HD91QPGJ7HAYYU0VBJXO794IM3"
}
]
},
{"probe_id": "LXTQITGJ6DFZ00TD1560539969IMRDUJMSL2DHZY4R1XC4PMPDAG6QS4OGB9L29FYWACAQNB3",
"name": "CPU Stats",
"short_message": "CPU",
"command": "get_arb_stat.sh -c",
"description": "Watches CPU Usage",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "LXTCSP5DDP62CC6C15605400655YJJFSHNBUYC6ZU443MD4HD91QPGJ7HAYYU0VBJXO794IM3"
}
]
},
{"probe_id": "LXTQITGJ6DFZ00TD1560539969IMRDUJMSL2DHZY4R1XC4PMPDAG6QS4OGB9L29FYWACAQNB4",
"name": "Outbound Network Traffic (kBps)",
"short_message": "OBNET",
"command": "get_arb_stat.sh -o",
"description": "Watches Outbound Network Statistics",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "LXTCSP5DDP62CC6C15605400655YJJFSHNBUYC6ZU443MD4HD91QPGJ7HAYYU0VBJXO794IM3"
}
]
},
{"probe_id": "LXTQITGJ6DFZ00TD1560539969IMRDUJMSL2DHZY4R1XC4PMPDAG6QS4OGB9L29FYWACAQNB5",
"name": "Inbound Network Traffic (kBps)",
"short_message": "IBNET",
"command": "get_arb_stat.sh -i",
"description": "Watches Inbound Network Statistics",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "LXTCSP5DDP62CC6C15605400655YJJFSHNBUYC6ZU443MD4HD91QPGJ7HAYYU0VBJXO794IM3"
}
]
}
]
}
]
},
{"profile_id": "PEQTCWA88OJ7OLYC16863136564401DDMDPEV2SYIPN",
"asset_id": "DOP9WU0EWS75DX8E1686313580412C8NASNA5XP2991",
"probe_group_id": "PTNM6K3GWKVDB0HU1686313519844WEBU0H74ILGBNE",
"enabled": 1,
"interval": 60,
"start_time": -1,
"start_weekdays": 127,
"end_window": 86400,
"failover": 0,
"assets": [{"asset_id": "DOP9WU0EWS75DX8E1686313580412C8NASNA5XP2991",
"name": "Touy Dashboard",
"ipaddress": "10.13.37.88",
"hostname": "",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "",
"last_byte_time": 0,
"did": "",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "",
"comments": "",
"model": "",
"asset_groups": [ ],
"assets": [ ],
"profiles": [{"profile_id": "PEQTCWA88OJ7OLYC16863136564401DDMDPEV2SYIPN"
},
{"profile_id": "J194V0IAQKYJ28GO1686702828236HL55SA6OPDQSK8"
}
]
}
],
"credentials": [ ],
"probe_groups": [{"probe_group_id": "PTNM6K3GWKVDB0HU1686313519844WEBU0H74ILGBNE",
"name": "Ping Probe",
"description": null,
"profiles": [{"profile_id": "PEQTCWA88OJ7OLYC16863136564401DDMDPEV2SYIPN"
},
{"profile_id": "F0I8FPQTOAK6Y45S1686313640972CAC6VXJM0H4GI6"
}
],
"probes": [{"probe_id": "BCCBSORIYID7PVI116863135248797WET01G5RR87FY",
"name": "icmp_echo",
"short_message": "",
"command": "icmp_echo.exp %s",
"description": "",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "PTNM6K3GWKVDB0HU1686313519844WEBU0H74ILGBNE"
}
]
}
]
}
]
},
{"profile_id": "F0I8FPQTOAK6Y45S1686313640972CAC6VXJM0H4GI6",
"asset_id": "E38QOTASMQM4ENRU16863136074204UBKX2FR5738TI",
"probe_group_id": "PTNM6K3GWKVDB0HU1686313519844WEBU0H74ILGBNE",
"enabled": 1,
"interval": 60,
"start_time": -1,
"start_weekdays": 127,
"end_window": 86400,
"failover": 0,
"assets": [{"asset_id": "E38QOTASMQM4ENRU16863136074204UBKX2FR5738TI",
"name": "Daron Syslog Arbitrator",
"ipaddress": "172.30.42.169",
"hostname": "",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "snmp_trap",
"last_byte_time": 1695383488,
"did": "",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "",
"comments": "",
"model": "",
"asset_groups": [ ],
"assets": [{"asset_id": "SBR6H1V1637I71A916863161975534Q4PO7TA2CFYFR",
"name": "",
"ipaddress": "172.30.42.169",
"hostname": "Unknown",
"parent_id": "E38QOTASMQM4ENRU16863136074204UBKX2FR5738TI",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "snmp_trap",
"last_byte_time": 1695383488,
"did": "Unknown",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "NAT",
"comments": "",
"model": "",
"asset_groups": [ ],
"assets": [ ],
"profiles": [ ]
}
],
"profiles": [{"profile_id": "F0I8FPQTOAK6Y45S1686313640972CAC6VXJM0H4GI6"
}
]
}
],
"credentials": [ ],
"probe_groups": [{"probe_group_id": "PTNM6K3GWKVDB0HU1686313519844WEBU0H74ILGBNE",
"name": "Ping Probe",
"description": null,
"profiles": [{"profile_id": "PEQTCWA88OJ7OLYC16863136564401DDMDPEV2SYIPN"
},
{"profile_id": "F0I8FPQTOAK6Y45S1686313640972CAC6VXJM0H4GI6"
}
],
"probes": [{"probe_id": "BCCBSORIYID7PVI116863135248797WET01G5RR87FY",
"name": "icmp_echo",
"short_message": "",
"command": "icmp_echo.exp %s",
"description": "",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "PTNM6K3GWKVDB0HU1686313519844WEBU0H74ILGBNE"
}
]
}
]
}
]
},
{"profile_id": "FQM6R8QUAS2H4C6F1686621318618S83CL0VHDK2CYM",
"asset_id": "X7QN0NAETNHBR5NA1686588576957HXHI2TOWU7CRKC",
"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"enabled": 1,
"interval": 30,
"start_time": -1,
"start_weekdays": 127,
"end_window": 86400,
"failover": 0,
"assets": [{"asset_id": "X7QN0NAETNHBR5NA1686588576957HXHI2TOWU7CRKC",
"name": "CUCM2",
"ipaddress": "172.30.42.73",
"hostname": "",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "",
"last_byte_time": 0,
"did": "",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "",
"comments": "",
"model": "",
"asset_groups": [{"asset_group_id": "ESCJW73KWMIJGVWK168658855665736VGNYQAGYVQSB"
}
],
"assets": [ ],
"profiles": [{"profile_id": "FQM6R8QUAS2H4C6F1686621318618S83CL0VHDK2CYM"
}
]
}
],
"credentials": [ ],
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"name": "CUCM RIS",
"description": null,
"profiles": [{"profile_id": "FQM6R8QUAS2H4C6F1686621318618S83CL0VHDK2CYM"
},
{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
],
"probes": [{"probe_id": "OY16K83RXI7M3ENW16865886048369XI48KCD9I215O",
"name": "cucmris_phone",
"short_message": "",
"command": "cisco/cucmrisphone/collectrisphones_creds.sh %s ''",
"description": "",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18"
}
]
}
]
}
]
},
{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM",
"asset_id": "GVLXW1V30M7C4XGR1686667161980JRHWIC63RWRKIV",
"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"enabled": 1,
"interval": 300,
"start_time": -1,
"start_weekdays": 127,
"end_window": 86400,
"failover": 0,
"assets": [{"asset_id": "GVLXW1V30M7C4XGR1686667161980JRHWIC63RWRKIV",
"name": "172.30.42.77",
"ipaddress": "172.30.42.77",
"hostname": "",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "",
"last_byte_time": 0,
"did": "",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "",
"comments": "",
"model": "",
"asset_groups": [{"asset_group_id": "ESCJW73KWMIJGVWK168658855665736VGNYQAGYVQSB"
}
],
"assets": [ ],
"profiles": [{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
}
]
}
],
"credentials": [{"credential_id": "PKQUY2AN65OIJYSS1686588939122QT0254HH3YAMO6",
"name": "admin",
"username": "Username hidden.",
"password": "Passwords hidden.",
"profiles": [{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
],
"response_methods": [ ]
}
],
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"name": "CUCM RIS",
"description": null,
"profiles": [{"profile_id": "FQM6R8QUAS2H4C6F1686621318618S83CL0VHDK2CYM"
},
{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
],
"probes": [{"probe_id": "OY16K83RXI7M3ENW16865886048369XI48KCD9I215O",
"name": "cucmris_phone",
"short_message": "",
"command": "cisco/cucmrisphone/collectrisphones_creds.sh %s ''",
"description": "",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18"
}
]
}
]
}
]
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V",
"asset_id": "JT491KB39Y8ANI6I1686667175816HU2FSBNRHR1YEO",
"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"enabled": 1,
"interval": 300,
"start_time": -1,
"start_weekdays": 127,
"end_window": 86400,
"failover": 0,
"assets": [{"asset_id": "JT491KB39Y8ANI6I1686667175816HU2FSBNRHR1YEO",
"name": "172.30.42.84",
"ipaddress": "172.30.42.84",
"hostname": "",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "",
"last_byte_time": 0,
"did": "",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "",
"comments": "",
"model": "",
"asset_groups": [{"asset_group_id": "ESCJW73KWMIJGVWK168658855665736VGNYQAGYVQSB"
}
],
"assets": [ ],
"profiles": [{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
}
]
}
],
"credentials": [{"credential_id": "PKQUY2AN65OIJYSS1686588939122QT0254HH3YAMO6",
"name": "admin",
"username": "Username hidden.",
"password": "Passwords hidden.",
"profiles": [{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
],
"response_methods": [ ]
}
],
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"name": "CUCM RIS",
"description": null,
"profiles": [{"profile_id": "FQM6R8QUAS2H4C6F1686621318618S83CL0VHDK2CYM"
},
{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
],
"probes": [{"probe_id": "OY16K83RXI7M3ENW16865886048369XI48KCD9I215O",
"name": "cucmris_phone",
"short_message": "",
"command": "cisco/cucmrisphone/collectrisphones_creds.sh %s ''",
"description": "",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18"
}
]
}
]
}
]
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP",
"asset_id": "WXC0TY3JSQEMQB8U168666719341852TMXE87FNLMYL",
"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"enabled": 1,
"interval": 300,
"start_time": -1,
"start_weekdays": 127,
"end_window": 86400,
"failover": 0,
"assets": [{"asset_id": "WXC0TY3JSQEMQB8U168666719341852TMXE87FNLMYL",
"name": "172.30.42.89",
"ipaddress": "172.30.42.89",
"hostname": "",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "",
"last_byte_time": 0,
"did": "",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "",
"comments": "",
"model": "",
"asset_groups": [{"asset_group_id": "ESCJW73KWMIJGVWK168658855665736VGNYQAGYVQSB"
}
],
"assets": [ ],
"profiles": [{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
}
]
}
],
"credentials": [{"credential_id": "PKQUY2AN65OIJYSS1686588939122QT0254HH3YAMO6",
"name": "admin",
"username": "Username hidden.",
"password": "Passwords hidden.",
"profiles": [{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
],
"response_methods": [ ]
}
],
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"name": "CUCM RIS",
"description": null,
"profiles": [{"profile_id": "FQM6R8QUAS2H4C6F1686621318618S83CL0VHDK2CYM"
},
{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
],
"probes": [{"probe_id": "OY16K83RXI7M3ENW16865886048369XI48KCD9I215O",
"name": "cucmris_phone",
"short_message": "",
"command": "cisco/cucmrisphone/collectrisphones_creds.sh %s ''",
"description": "",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18"
}
]
}
]
}
]
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU",
"asset_id": "A3J1RR96C5PONKIE1686667202888VWR68RBL03RUUX",
"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"enabled": 1,
"interval": 300,
"start_time": -1,
"start_weekdays": 127,
"end_window": 86400,
"failover": 0,
"assets": [{"asset_id": "A3J1RR96C5PONKIE1686667202888VWR68RBL03RUUX",
"name": "172.30.42.90",
"ipaddress": "172.30.42.90",
"hostname": "",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "",
"last_byte_time": 0,
"did": "",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "",
"comments": "",
"model": "",
"asset_groups": [{"asset_group_id": "ESCJW73KWMIJGVWK168658855665736VGNYQAGYVQSB"
}
],
"assets": [ ],
"profiles": [{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
]
}
],
"credentials": [{"credential_id": "PKQUY2AN65OIJYSS1686588939122QT0254HH3YAMO6",
"name": "admin",
"username": "Username hidden.",
"password": "Passwords hidden.",
"profiles": [{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
],
"response_methods": [ ]
}
],
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18",
"name": "CUCM RIS",
"description": null,
"profiles": [{"profile_id": "FQM6R8QUAS2H4C6F1686621318618S83CL0VHDK2CYM"
},
{"profile_id": "V0A8UCVCLK78ISJ31686667221397KWJHGNJTOE9YCM"
},
{"profile_id": "TPWSUDB7OXSV85SD1686667232197UD2XDDDWUI605V"
},
{"profile_id": "DLPDBNNLM9UR8JGU1686667245438RX13DGPF95WEFP"
},
{"profile_id": "QT77VCS9LAUEXKSP1686667256568CHONSTSEFCMNKU"
}
],
"probes": [{"probe_id": "OY16K83RXI7M3ENW16865886048369XI48KCD9I215O",
"name": "cucmris_phone",
"short_message": "",
"command": "cisco/cucmrisphone/collectrisphones_creds.sh %s ''",
"description": "",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "XA1PP5R3GTNQPOSG1686588598775XLCT2DB5X88R18"
}
]
}
]
}
]
},
{"profile_id": "J194V0IAQKYJ28GO1686702828236HL55SA6OPDQSK8",
"asset_id": "DOP9WU0EWS75DX8E1686313580412C8NASNA5XP2991",
"probe_group_id": "HO0WQRH3R6F5K8LL16867027230426KPB7S2R9PLMOB",
"enabled": 1,
"interval": 3600,
"start_time": -1,
"start_weekdays": 127,
"end_window": 86400,
"failover": 0,
"assets": [{"asset_id": "DOP9WU0EWS75DX8E1686313580412C8NASNA5XP2991",
"name": "Touy Dashboard",
"ipaddress": "10.13.37.88",
"hostname": "",
"customer": "",
"site": "",
"render_type": "unknown",
"last_method": "",
"last_byte_time": 0,
"did": "",
"mac_address": "",
"address": "",
"version": "",
"manufacturer": "",
"timezone": "UTC",
"description": "",
"comments": "",
"model": "",
"asset_groups": [ ],
"assets": [ ],
"profiles": [{"profile_id": "PEQTCWA88OJ7OLYC16863136564401DDMDPEV2SYIPN"
},
{"profile_id": "J194V0IAQKYJ28GO1686702828236HL55SA6OPDQSK8"
}
]
}
],
"credentials": [ ],
"probe_groups": [{"probe_group_id": "HO0WQRH3R6F5K8LL16867027230426KPB7S2R9PLMOB",
"name": "Voss Automate Data",
"description": null,
"profiles": [{"profile_id": "J194V0IAQKYJ28GO1686702828236HL55SA6OPDQSK8"
}
],
"probes": [{"probe_id": "K9R31QUV86VG7L4D16867027303916S2NGSECKER6O3",
"name": "Voss",
"short_message": "",
"command": "voss.sh %s",
"description": "",
"locked": 0,
"enabled": 1,
"unit": "",
"autoscale": 0,
"probe_groups": [{"probe_group_id": "HO0WQRH3R6F5K8LL16867027230426KPB7S2R9PLMOB"
}
]
}
]
}
]
}
]
}

/api/v2 > cucm

api/v2/cucm/drop

Authorizations:

basicAuth

Responses

/api/v2 > users

/api/v2/users No Token

Authorizations:

noauthAuth

Responses

/api/v2/users

Authorizations:

noauthAuth

header Parameters

x-lxt-api-token

string

Example: {{x-lxt-kapapi-id}}

Request Body schema: application/json

object

Responses

Request samples

Payload

Content type

application/json

{"userId": "testuser1",
"password": "testpassword",
"email": "[email protected]",
"firstName": "Test",
"lastName": "User1",
"customerId": "",
"customerName": ""
}

Arbitrator API Documentation (1.0.0)

Insights Arbitrator API Documentation

Introduction

/api

/api/ciscocdr?cm_ip=x.x.x.x

query Parameters

Responses

Response samples

/api/v2

/api/v2 > login

/api/v2/login

Authorizations:

header Parameters

Request Body schema: multipart/form-data

Responses

/api/v2 > alerts

Get All Alerts No Header

Authorizations:

Responses

/api/v2 > assets

/api/v2/configs/assets

Authorizations:

header Parameters

Responses

Update Large Assets

Authorizations:

header Parameters

Request Body schema: application/json

Responses

Request samples

Add a NAT IP Address to An Asset

Authorizations:

header Parameters

Request Body schema: application/json

Responses

Request samples

Response samples

/api/v2 > policy_modules

GET policy modules

Authorizations:

header Parameters

Responses

Response samples

/api/v2 > asset_groups

GET All Asset Groups

header Parameters

Responses

Insert TestGroup

header Parameters

Request Body schema: application/json

Responses

Request samples

Delete Asset Group

header Parameters

Responses

/api/v2 > lxt_updates

/api/v2/lxt_updates

query Parameters

header Parameters

Request Body schema: application/x-www-form-urlencoded

Responses

/api/v2/lxt_updates?id=18

header Parameters

Responses

/api/v2/configs/asset_groups

header Parameters

Responses

/api/v2 > probe_groups

Get Probes

Authorizations:

header Parameters

Responses

/api/v2 > response_procedures

Get Response Procedures

Authorizations:

header Parameters

Responses

Response samples

/api/v2 > rule_definitions

Get Rule Definitions