Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 8030 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reports on detections

ANT1

Currently running SEC 5.4 (will update to 5.5 later this week).

 

I have SEC configured to email me alerts of detections. which is working well enough. However when I went into the SEC selected Tools>MAnage Reports>Alerts and events (looking at events over the last month) specify the period and run the report.

 

WOW I am getting a report for a Trojan (Mal/DrodZp-A) detected on a machine last Friday which I didn't get an email alert for. When I select the machine in SEC there are no errors or alerts registered to it.

 

Now... what or which do I believe.... or better still why are these not reporting the same thing. Any ideas?

 

Thanks in advance



This thread was automatically locked due to age.
  • 0

    Hello ANT1,

    select the machine in SEC
    you View Computer Details? Last Friday should still be listed under History.

    didn't get an email
    you have enabled Email Alerting from your endpoints in the AV and HIPS policy o    r Email Alerts ... from the console?

    Christian

  • 0 in reply to QC

    Hi QC,

     

    Yes, when I view the history of the machine is it listed as a detection. BUT the Console dashboard is not reflecting this. I thought that if there was a detection it would show up in the dashboard and this one isn't. Obviously I cannot view each machine history individually.

     

    Email alerting is configured on the console, AND it's enabled in the policy.

     

    Any ideas?

     

    Thank you

  • 0 in reply to ANT1

    Hello ANT1,

    if there was a detection it would show up in the dashboard
    the dashboard (as well as the Status/Alerts and errors column and the Alert and Error Details tab) shows only outstanding alerts, i.e. detections that haven't been (properly) dealt with. A successful cleanup, delete, or move action, in addition an Acknowledge from the console, a Clear from list in the local QM clears the alert. For detections that can be authorized an authorization (QM, local settings, policy change) also clears the alert.
    The report and the history should have an associated entry that names the Action taken. The Dashboard shows the current situation, not any statistical (apart from the percentages) or historical data. The latter are provided by the reports.

    SEC sends an email when a threshold is exceeded, i.e. a value "crosses the limit upwards". Subsequently the value has to fall below before another mail can be triggered. The message also doesn't contain any details like endpoint or threat name.

    Finally email alerts from the endpoints: If enabled you should get an email even if a detection is never shown on the dashboard (because detection and cleanup notification are sent to SEC in a single message). It may fail for various reasons thus the question is - did you ever receive an email from this endpoint?

    Christian

Unfiltered HTML