Threat detection report task per Static Group

[Markwd 1]

Hello,

I have set up ERA (6.5) in a multi tenancy way, so all my customers are connected through one server and every customer has it's own Static Group and login into the ERA Console.

 

Now I wanted to have ERA generate reports automatically on detection of threats and mail these reports to the customer on the moment a detection is logged. Of course the report only needs to see the clients under the customers Static Group and the report task only needs to run when a detection is made under the Static Group of the customer itself.

 

Creating the report was easy and that part works fine. The creating a report task however, is not working. When I create a report task that is triggered by threat detection, I cannot have it run on detection of threats under the Static Group of the customer itself. The task runs on every threat detection of every customer (Static Group). I have tried to workaround this by hanging the task under the customers Access Group and also I tried to workaround this by disabling the option "SEND EMAIL IF REPORT IS EMPTY". Still the outcome is not right. 

I specifically do not want to use the smtp settings at the customers site, because of the fact that I do not want to find out those specific settings everytime and the fact that the reporting task has the possibility to filter out the "threats" that are not severe enough to mention.

Is there a way to have this functional and set up within the ERA environment, so I can send threat reports per customer (Static Group)?

Any thoughts about this would be appreciated...

[Marcos 5,070]

This should be possible by editing the report template and adding a new filter "Static group".

[Markwd 1]

Hello Marcos,

 

Thanks for your response.

 

The filtering of the Static group under the report template only filters the content of the report. It does not filter the server report task that runs when a threat detection has been logged.

So when I use the Static Group filtering on the report template, it generates a report on every threat detection (in every Static Group), but will only show the threats detected of that specific Static Group in the report.

[MartinK 378]

Have you tried to schedule / execute task using user that has access only to specific static group? I would expect that such report will contain only data for client that this user can actually see in console. User that created server task can be see in Admin -> Server Task -> Username [column] and I would expect that permissions for background task execution. This does not applies for explicitly executed tasks using "Run now" which should be executed with permissions of user that started them.

[Markwd 1]

Hello Martin,

 

I have indeed tried to login with the credentials of one of the customers (with privileges to modify both reports and server tasks), but still the trigger goes with every threat detection in every Static Group.. 

 

I am thinking the Threat Event trigger is simply looking at a global threat log and ticks with every threat detection, not looking at where the threat is coming from. I wonder if that is true and if so, that log also contains information about where the threat was detected. Maybe the trigger works before "seeing" the infrastructure of the era and therefore does not know in wich Static Group the client is where the threat was detected? 

 

I have also tried to think about a way to get this managed with dynamic templates, but all my tries lead to a dead end. 

 

In my opinion, if I could work this out and could send the "technical" contacts of my customers a mail when a real threat is detected, this could help creating a kind of security awareness under my customers.