Solved

File Anomaly Alert not updating with new error codes


Userlevel 2
Badge +6

I get the same Events in JavaConsoles EventViewer, but the Alert Rules don’t include all those new IDs. Do Admins need to manually update those predefined Rules or should the Upgrade have done that?

icon

Best answer by Mike Struening RETIRED 8 June 2022, 20:58

View original

16 replies

Userlevel 7
Badge +23

@Stefan Vollrath , we do include new error codes in new releases, so that’s likely what’s happening here.  

Can you clarify on where you are not seeing them added to your alerts?

I can move this to its own thread once we have more info 😎

Userlevel 2
Badge +6

@Mike Struening Default Alert “File Activity Anomaly Alert” doesn’t include all the Codes relevant to the used Release (FR24 in this case). Get the Events but no Alerts acting on them out of the box.

 

Userlevel 7
Badge +23

Thanks, @Stefan Vollrath !  Let me ask around internally.  Can you confirm your exact release (11.24.xx)?

Also, @Ken_H can you confirm he same for comparison (if you get a chance)?

Userlevel 4
Badge +15

My File Activity Anomaly Alert seems to include several error codes not shown on the screen capture from @Stefan Vollrath.  

 

Userlevel 7
Badge +23

@Ken_H , what version is your CS on?  I suspect the alert updates, but within various versions, not on its own.

Userlevel 4
Badge +15

I’m running 11.26.8.

 

Userlevel 2
Badge +6

We are running 11.24.38 and 11.20.90 at the moment

Userlevel 7
Badge +23

11.26.8 came out Feb 1

11.24.38 came out in March

11.20.90 came out Feb 1

I was thinking there was a time release difference at play here, but there’s not.

@Stefan Vollrath , I am going to check with someone internally, though it might be best to get a support case opened to see what happened.

@DMCVault 

Userlevel 7
Badge +23

I have more detail.

From the Security Dashboard:

● The alert is triggered by event code 7:211|7:212 given as regular expression.
● Use regular expression as 7:211|7:212|7:293 in feature release later than 22
● Use regular expression as 7:211|7:212|7:293|7:269 in feature release later than 25
● Use regular expression as 7:211|7:212|7:293|7:269|14:323|69:52 in feature release later than 26
●The alert should not have any criteria other than Error Code selected

Can you confirm the alert criteria you are using compared to your Feature Release.

Userlevel 2
Badge +6

That’s the problem, the list described here and used by the alert doesn’t match what the software uses otherwise.

We are running FR24, regularly get Event Code 7:269, but that isn’t covered by the alert before FR25.

Mediating that and adding the newer codes to the alert then result in a critical alert from Security Assessment Report as the rule now no longer matches what is checked there…

Having an all green Security Assessment or have all Anomalies alerted shouldn't be a trade-off we have to make.

Userlevel 7
Badge +23

@Stefan Vollrath , something isn’t right, then.

Open a support case and share the number here so I can track it!

@Mike Struening Stefan’s case is 220412-138.

Userlevel 7
Badge +23

Thanks, @Jacek Piechucki !!!

Userlevel 7
Badge +23

Small update, looks like they are backporting the alert to MR24.

Will keep following the case on my end.

Userlevel 7
Badge +23

Looks like form ID 4947 is the fix via WinX64_11.0.0B80-SP24_SP24-HotFix-5751 which requires 11.24.43.

Let us know once it is installed and working 🤓

 

Userlevel 7
Badge +23

Sharing case solution:

Finding Details:

Customer noticed that a File Activity Anomaly alert does not contain all available even codes per FR. Editing the alert causes it to become "deleted" in [Security Amassment] report \ [Platform Security] section.

Solution:

Ticket has been escalated to engineering who created a fix SP24-HotFix-5751 taking into account specific even codes for particular FR.
Fix is available in MR starting from 11.24.52 (11.24.52 is first GA).

Reply