Is there any way to get any confermation that a report has been sent to a customer?
Our system sends out tens of automatic reports to our customers and we have no manual way of confirming that the reports were actually sent from the SIEM system with the appropriate information.
The real problem would be that a customer won't be getting a report for months before *he* would need to point out that he didn't get the report (Could be because of a misconfiguration issue such as a sender not detailed or an error with one of the quaries which create the report).
Has anyone else faced a simmliar issue and if so how have you over come it?
Solved! Go to Solution.
A misconfigured query? You mean a query that returns no results? You should still get a report of 0 length.
You can watch the "(Local ESM)" events for report errors. I don't know the entire list of events you might want to watch, but this could be helpful.
Rule Name: ESM failed to Send E-Mail Signature ID: 306-56
Rule Name: Task (query) terminated Signature ID: 306-54
They could be reasons why a report would fail.
Maybe just send yourself a copy as well? Lots of things can go wrong with emails, they can be denied because of various factors.
Your SMTP server should have this information, maybe collect it with the SIEM?
A misconfigured query? You mean a query that returns no results? You should still get a report of 0 length.
You can watch the "(Local ESM)" events for report errors. I don't know the entire list of events you might want to watch, but this could be helpful.
Rule Name: ESM failed to Send E-Mail Signature ID: 306-56
Rule Name: Task (query) terminated Signature ID: 306-54
They could be reasons why a report would fail.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA