Too many reports, how to streamline reporting?

  • 25 October 2021
  • 2 replies

I’ve noticed that KSC sends mail reports very quickly. For instance, if a client workstation has been offline for a couple of days and goes online, I immediately get an mail with a warning that the AV database is out of date on that machine. A couple of minutes later, the problem fixes itsels because the client installs the updates.

I was wondering if there is a possibility to delay these notifications? I mean, it would be a lot more relevant if mail warnings only get send if something can’t be fixed. Also, are there guidelines on how to streamline the notifications?



2 replies

Userlevel 3
Badge +1

I experienced the same behavior. The same thing happens sometimes, when a computer gets turned off or is suspended (laptop), KSC shows that the computer state is “security application is not running” or “protection is disabled” for a short time (I guess until KSC recognizes that the computer is offline).

It would be interesting to postpone the detection of such states in such behavior so that the message only gets logged when the state is really reached.

The network agent could detect (for example) when the computer gets turned off and send that information to KSC (so that it does not detect the states “security application is not running” or “protection is disabled” for a few minutes after receipt of that information) or KSC could wait a few minutes after boot up of a computer until it logs “databases are outdated”.

Userlevel 3
Badge +1

When someone forwards these messages to a SIEM product, it also detects these (probably high amount of) messages (which are not always legitimate in the current implementation).