I get the same Events in JavaConsoles EventViewer, but the Alert Rules don’t include all those new IDs. Do Admins need to manually update those predefined Rules or should the Upgrade have done that?
Best answer by Mike Struening RETIREDView original
Can you clarify on where you are not seeing them added to your alerts?
I can move this to its own thread once we have more info 😎
@Stefan Vollrath ! Let me ask around internally. Can you confirm your exact release (11.24.xx)?
@Ken_H can you confirm he same for comparison (if you get a chance)?
My File Activity Anomaly Alert seems to include several error codes not shown on the screen capture from
I’m running 11.26.8.
We are running 11.24.38 and 11.20.90 at the moment
11.26.8 came out Feb 1
11.24.38 came out in March
11.20.90 came out Feb 1
I was thinking there was a time release difference at play here, but there’s not.
I have more detail.
From the Security Dashboard:
● The alert is triggered by event code 7:211|7:212 given as regular expression.
● Use regular expression as 7:211|7:212|7:293 in feature release later than 22
● Use regular expression as 7:211|7:212|7:293|7:269 in feature release later than 25
● Use regular expression as 7:211|7:212|7:293|7:269|14:323|69:52 in feature release later than 26
●The alert should not have any criteria other than Error Code selected
Can you confirm the alert criteria you are using compared to your Feature Release.
That’s the problem, the list described here and used by the alert doesn’t match what the software uses otherwise.
We are running FR24, regularly get Event Code 7:269, but that isn’t covered by the alert before FR25.
Mediating that and adding the newer codes to the alert then result in a critical alert from Security Assessment Report as the rule now no longer matches what is checked there…
Having an all green Security Assessment or have all Anomalies alerted shouldn't be a trade-off we have to make.
Open a support case and share the number here so I can track it!
@Jacek Piechucki !!!
Small update, looks like they are backporting the alert to MR24.
Will keep following the case on my end.
Looks like form ID 4947 is the fix via WinX64_11.0.0B80-SP24_SP24-HotFix-5751 which requires 11.24.43.
Let us know once it is installed and working 🤓
Sharing case solution:
Customer noticed that a File Activity Anomaly alert does not contain all available even codes per FR. Editing the alert causes it to become "deleted" in [Security Amassment] report \ [Platform Security] section.
Ticket has been escalated to engineering who created a fix SP24-HotFix-5751 taking into account specific even codes for particular FR.
Fix is available in MR starting from 11.24.52 (11.24.52 is first GA).