Cb Defense (formerly Confer) - All
This document provides information on how to triage email notification issues.
If there are reports of missing email notifications for Alerts:
- Determine what alerts / threat codes are present that should have triggered an email notification.
- Verify their email Inbox, Spam, and Trash folders.
Once confirmed that a specific threat was not notified via an email notification, triage includes:
- Check if a notification rule exists for that threat and the customer’s email is subscribed to that rule.
- From settings -> Notifications screen:
- Check notification rule details, specifically “Criteria”, and make sure that a valid email address is subscribed to that notification rule.
- Click the “edit” button (pencil) on the right side of a notification for the “Alert” notification type. Verify the Alert priority (Threat Score) and Severity Level (Threat or Monitored).
- Verify if “Send at most one email notification for a given threat per day” checkbox is checked or not.
- If the rule is defined using TTPs, log what TTPs are being defined for the Alerts to cross reference. You can always revert back to this screen or take a screen capture.
- If there are no Notifications defined, no email notifications will be sent.
Note: If a Notification is added after an Alert has occurred, a Notification for the past event will NOT be sent out.
Go to Alert screen and find the relevant threat(s).
- There are some filters in the left menu of Alert screen. Make sure to check the filters based on the rules you get from the "First Steps".
- For instance, if the rule is for “Threat and Monitored”, then you need to select both “Threat and Monitored” from filter by “Category” section.
- Make sure “Not dismissed” filter is turned on and the “dismissed” filter is turned off. If a threat is dismissed, notifications are NOT sent.
- Check if that threat still shows up on Alert screen and what the threat’s priority score is.
- If the threat score is smaller than the base threat score of the rule, notifications are NOT sent.
- If the threat score is greater than rule score, then go to the next step.
Alert with specific TTP rule search:
If the rule type is Alert with specific TTPs, copy the TTP from the Alert in Settings -> Notifications screen and paste them to the Alert screen search box.
Also, make sure the Alert screen filters are set the same as rule definition (same as second step).
If no search result is returned, it indicates that there is no threat that has met the defined criteria and no notification will be sent.
If a search result is returned and no email is received, open a Support Case with Cb Technical Support which will result in an escalation for Engineering to investigate the Cloud Backend.
- Search incident Id from search box on Alert screen. Currently, for the same security incident ID and the same rule, only one notification per day is sent. This step is to check if a notification has already been sent for the same threat incident ID.
- To get the incident Id of the threat, click the “Investigate threat” icon of the threat on Alert screen. It links to the investigate page.
- Copy the threatID and paste to search box of Alert screen, if search returns multiple threats, then it’s possible that a notification is already sent for the threats with the same threatID.
- If “Send at most one email notification for a given threat per day” checkbox is checked, only one email notification will be sent for the same threatID per day.
- Perform the following investigation:
- Use the same method as Third Step to get the threatId
- Copy and paste threatId to the search box of the Alert screen.
- If there are multiple search results, then it’s possible that a notification has already been sent for the same threatID.