This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Root Cause Analysis not showing recent issue

Licensed users; yes, we have a valid Intercept X license.

We just had a triggered alert for a CryptoGuard event on a user workstation. The issue has been resolved, but no Root Cause Analysis has been opened. We have other events in the RCA, just this recent one is missing. Yes, we have a current and valid Intercept X license.

Suggestions?

Steve

This thread was automatically locked due to age.

Parents

0 Gowtham Mani over 6 years ago

Hi Steve Bottoms,

Can you share the current version of the Intercept X you have? If possible share us the product versions that you have got.

We need to check if this event has generated an RCA. To verify that please access the following file location (C\:ProgramData\Sophos\Endpoint Defense\Logs\sdr.log) and see if you have the sdr.log and check for the below lines in it.

SDR File Info Starting Snapshot generation...SDR File Info Snapshot generation complete

Also check for below file in C:\ProgramData\Sophos\Endpoint Defense\Data\Saved Data\

snapshot_<endpoinid>_<date-timestamp>.tgzrca_<endpointid>_<date-timestamp>.tgz

Regards,

Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Steve Bottoms over 6 years ago in reply to Gowtham Mani

Gowtham, thanks for replying.

1) Core agent = 2.0.5, Endpoint Adv = 10.8.1.2, Intercept X = 2.0.8

2) The string "sdr file info" is nowhere in the file sdr.log

3) The above requested files do not exist.

I also checked the RCA screen again, and there was no RCA created for the event in question; there has, however, been one RCA created for an unrelated event since.

Thanks.

Steve
Cancel
Vote Up 0 Vote Down

Cancel
0 Gowtham Mani over 6 years ago in reply to Steve Bottoms

Hi Steve Bottoms,

Thanks for the details, it helps to determine if the RCA was created and then not reflecting in the central Dashboard or if no RCA was generated for this event. The absence of these files indicates that there was no RCA created in the endpoint for the event you have reported.

Note: An RCA is created when a protected endpoint detects a malware infection that requires investigation. An RCA might not be created for every detection, for example for PUA or where the time between Cause and the beacon event is too high.

If you would like to investigate further on why the RCA was generated, you need to open a support case with the SDU logs so that they can investigate proceed with the detection.

Regards,

Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Gowtham Mani over 6 years ago in reply to Steve Bottoms

Hi Steve Bottoms,

Thanks for the details, it helps to determine if the RCA was created and then not reflecting in the central Dashboard or if no RCA was generated for this event. The absence of these files indicates that there was no RCA created in the endpoint for the event you have reported.

Note: An RCA is created when a protected endpoint detects a malware infection that requires investigation. An RCA might not be created for every detection, for example for PUA or where the time between Cause and the beacon event is too high.

If you would like to investigate further on why the RCA was generated, you need to open a support case with the SDU logs so that they can investigate proceed with the detection.

Regards,

Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data