Attack counts not tally on [Home]
Issue Description
The ‘Blocked Brute-Force Attacks’ under [Home] shows 1 record meanwhile when clicked on it there is no data.
Error/Warning Information
[Home]
[Response] – [Threat Response] – [Security Events] – [Brute-Force Attacks]
Handling Process
-
Check and remove all the filters to ensure the data is not filtered.
-
Access the backend and retrieve the black_list log.
Command:
/ac/dc/ldb/bin/mongoexport --port 27017 -u sangfor_edr -p Esa0ad1bQz! -d sangfor_edr -c black_list --type=json -o black_list.json -
Found that there is 1 record.
-
Copy the agent id from the logs to find out which endpoint is that.
-
Paste the agent id on the url to view the endpoint details.
Example:
https://192.168.20.199:555/ui/#/endpoint_group_manage/details?id=769077048 -
Found that the endpoint had been deleted.
-
Verified with R&D team and confirmed this is a logical issue and had been feedback to the relevant team for improvement in newer version.
Solution
No solution available as this is a calculation logic issue on all versions.
Suggestions
Note:
On the newer version (ES 6.0.2), this issue remains but the events will appear on the [Response] sections.
Scenario A: Agent had been uninstalled.
Scenario B: Agent had been uninstalled and endpoint had been deleted.
