cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 13
‎12-09-2019 10:25 PM

Automatic Response for threat is not working

Jump to solution

Hello,

I am currently on ePO 5.9 and I am working with Automatic Responses in order to send email notification when Malware is detected. i tried everything but the same is not working and i am not getting email for the same. i did below settings: -

Description: Event Group: ' ePO Notification Events' ; Event Type: 'Threat'

Filter: Threat Category belongs to: ' Malware Detected'.

 

Please Note: server task and other responses are working fine like' Master repository update succeeded' 

 

I have both VSE and ENS 

 

1 person had this problem.
0 Kudos
Reply
1 Solution

Accepted Solutions
cdinet
Employee
Employee
Report Inappropriate Content
Message 12 of 13
‎12-16-2019 01:38 PM

Re: Automatic Response for threat is not working

Jump to solution

That's good.  Yes, there is currently an issue being investigated where the responses don't trigger if there are multiple groups configured in the defined at section.  So setting them to single group is the current workaround.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Reply
12 Replies
LKS
Employee
Employee
Report Inappropriate Content
Message 2 of 13
‎12-09-2019 10:35 PM

Re: Automatic Response for threat is not working

Jump to solution

Hi vineet21,

Have you configured SMTP server in EPO. Can you successfully send a test mail from the email server configuration page under Server settings..?

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!

 

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 13
‎12-09-2019 10:41 PM

Re: Automatic Response for threat is not working

Jump to solution

Hi,

Yes SMTP server has already configured and i am able to send the test email. I am getting daily email for configured server tasks.

The problem is that only threat response is not working 

0 Kudos
Reply
LKS
Employee
Employee
Report Inappropriate Content
Message 4 of 13
‎12-09-2019 11:02 PM

Re: Automatic Response for threat is not working

Jump to solution

Great then couple of things to check. If it is particular task not triggering Email, then the issue could be either on Task configuration nor the out format (may be).

* Can you duplicate that task and check if it is triggering email.

* Orion log is the best place to see whats going on when the task initiates. Incase if you do not find anything, Orion debug may need to enable.

 

 

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 13
‎12-10-2019 12:46 AM

Re: Automatic Response for threat is not working

Jump to solution

hi,

-> tried with creating new response but no luck

-> Checked Orion log but didn't found anything. 

Please suggest if i need to change any settings on threat policy level?  

13:30:28,999 ERROR [scheduler-InternalTask-thread-15] dispatcher.ThreatNotification - Error processing notification. Operation aborted.
com.mcafee.epo.notifications.dispatcher.UnsupportedRuleConditionException: Multiple SexpDescendsFrom in sexp: com.mcafee.orion.core.query.sexp.ops.SexpAnd@a3119b0f
at com.mcafee.epo.notifications.dispatcher.NotificationUtil.findDefinedAtNodeId(NotificationUtil.java:134)
at com.mcafee.epo.notifications.dispatcher.ThreatNotification.makeWhereClause(ThreatNotification.java:278)
at com.mcafee.epo.notifications.dispatcher.DefinedAtNotification.execute(DefinedAtNotification.java:50)
at com.mcafee.epo.notifications.dispatcher.NotificationDispatcherService.fireAllEvents(NotificationDispatcherService.java:20)
at com.mcafee.epo.notifications.dispatcher.NotificationDispatcherInternalTask.run(NotificationDispatcherInternalTask.java:30)
at com.mcafee.orion.scheduler.engine.InternalTaskWrapper.run(InternalTaskWrapper.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

0 Kudos
Reply
YashT
Employee
Employee
Report Inappropriate Content
Message 6 of 13
‎12-10-2019 01:20 AM

Re: Automatic Response for threat is not working

Jump to solution

Hello @Former Member ,

Thank you for the logs,

Logs says : 13:30:28,999 ERROR [scheduler-InternalTask-thread-15] dispatcher.ThreatNotification - Error processing notification. Operation aborted.

Your issue looks similar to below article.

All ePO 'Threat Notification' automatic responses stop working when you enable a Host Intrusion Prevention 8.0 'Automatic Response'
Technical Articles ID:   KB77567

Kindly note this is applicable for :
McAfee ePolicy Orchestrator (ePO) 5.x
McAfee Host Intrusion Prevention (Host IPS) 8.0

 

This issue is resolved in Host IPS 8.0 Patch 6, which is available by logging in to the ServicePortal at: https://support.mcafee.com/downloads.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Yash T
0 Kudos
Reply
LKS
Employee
Employee
Report Inappropriate Content
Message 7 of 13
‎12-10-2019 04:57 AM

Re: Automatic Response for threat is not working

Jump to solution

Hi vineet21,

The below error seems like there is some problem with Rule condition. Could you please show us a screenshot of the configuration.

com.mcafee.epo.notifications.dispatcher.UnsupportedRuleConditionException: Multiple SexpDescendsFrom in sexp: com.mcafee.orion.core.query.sexp.ops.SexpAnd@a3119b0f

0 Kudos
Reply
bodysoda
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 13
‎12-10-2019 05:50 PM

Re: Automatic Response for threat is not working

Jump to solution

@Former Member , here is the example of working automatic response both SNMP & Email. Try to replicate the information on your epo and report back your findings.

 

2019-12-11 14_47_38-ePolicy Orchestrator 5.10.0.jpg

 

2019-12-11 14_48_28-ePolicy Orchestrator 5.10.0.jpg

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
0 Kudos
Reply
cdinet
Employee
Employee
Report Inappropriate Content
Message 9 of 13
‎12-12-2019 06:43 AM

Re: Automatic Response for threat is not working

Jump to solution

Are there multiple "Defined At" filters defined?  If so, test by just using My Organization and see if notification triggers.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 10 of 13
‎12-13-2019 01:36 AM

Re: Automatic Response for threat is not working

Jump to solution

Hi All,

Thanks for your suggestions and solutions.

Automatic response for threats are working now. Earlier, there were multiple auto response were configured based on different BIU's. I have deleted all and configured again. I don't know what was the issue but the same is working now after reconfiguration.

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC