Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Troubleshooting SIEM Connector Notification Issues

Troubleshooting SIEM Connector Notification Issues

Version

Cb Defense (formerly Confer) - All

Topic

This document provides information on how to troubleshoot to SIEM Connector issues. Specific issues may include, but are not limited to:

  1. Delays in receiving Syslog messages.
  2. Alerts / Notifications may be missing from the SIEM that are present in Cb Defense.

How to Triage Connector Notification Issues

  1. If messages have not been received or there are missing threat notifications for a connector, Support needs the connector id from customers in order to triage.
  2. First step is to check if the connector can connect with backend without issue.
    • Settings -> Connectors screen. Check “Last reported time” column on this screen. If there is no time entry, it indicates that the connector is not properly connected with the backend.
    • A restart of the SIEM interface on the customer side is helpful, but may not be ideal in specific configurations where the SIEM has countless other information feeds.
  3. Second step, if the connection is fine, go to Settings -> Notifications screen to check if the connector is subscribed to a notification. Refer to: Cb Defense: How to Troubleshoot Email Notification Issues
  4. Third step is to go to the Alert screen to find threats that meet the conditions of the notification rule by using same way as described in the second step of Cb Defense: How to Troubleshoot Email Notification Issues

Note:

If a threat is dismissed,  no notification will be sent to the connector.

Different scenarios:

  1. If the report is about not receiving any threat notifications  and there are valid Alert notifications that should have been sent to the connector, open a support case and the support engineer will escalate to Engineering.
  2. If the report is about missing threats from connectors, then the confer-connector.log is required. This is available on the SIEM. There should be a log of downloaded threat incident IDs in the log file. This allows technical support to compare the incident IDs with the Alert screen incident IDs by using the same method as described in third step of Cb Defense: How to Troubleshoot Email Notification Issues
    • It is also helpful to obtain any custom SIEM reports for relevant and.or specific date ranges from the SIEM.
  3. Once you identify that there is a threat missing that should be in the SIEM or intelligence destination, open a support case and the Technical Support Engineer will escalate to Cb Defense Engineering.

Related solution:

Cb Defense: Troubleshooting SPLUNK SIEM Connector Notification Issues

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎07-21-2016
Views:
1637