MCAS SIEM agent status reporting

%3CLINGO-SUB%20id%3D%22lingo-sub-486466%22%20slang%3D%22en-US%22%3EMCAS%20SIEM%20agent%20status%20reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-486466%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%20Is%20there%20a%20way%20to%20have%20MCAS%20generate%20an%20alert%20or%20email%20to%20indicate%20SIEM%20agent%20status%20change%20from%20%22connected%22%20to%20%22disconnected%22.%20For%20example%20if%20the%20agent%20goes%20into%20disconnected%20or%20error%20state%20for%20x%20number%20of%20hours.%20Can%20an%20admin%20alert%20or%20email%20be%20generated%2C%20so%20that%20it%20can%20investigated%20and%20potentially%20agent%20restarted%20by%20operational%20teams%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-486466%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-490288%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20SIEM%20agent%20status%20reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-490288%22%20slang%3D%22en-US%22%3EHi%20Max%2C%3CBR%20%2F%3Ean%20alert%20is%20automatically%20generated%20in%20the%20MCAS%20console%20when%20a%20connection%20has%20been%20disconnected%20for%20over%202%20hours.%3CBR%20%2F%3EIf%20you%20want%20to%20receive%20an%20email%20you%20can%20email%20email%20notifications%20for%20system%20alerts%20by%20clicking%20on%20your%20user%20icon%20at%20the%20top%20right%2C%20clicking%20on%20the%20cogwheel%20and%20going%20to%20%22Notifications%22.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EDima%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-498147%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20SIEM%20agent%20status%20reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-498147%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20-%20will%20give%20this%20a%20test.%20I%20take%20it%20there%20is%20no%20way%20to%20centrally%20define%20that%20these%20SIEM%20agent%20type%20%22system%20alerts%22%20can%20be%20eg.%20sent%20to%20a%20specified%20separate%20operations%20email%20address%20instead%20of%20the%20email%20of%20the%20admin%20who%20just%20happens%20to%20have%20enabled%20the%20system%20notification%20emails%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-498176%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20SIEM%20agent%20status%20reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-498176%22%20slang%3D%22en-US%22%3ENot%20right%20now%20but%20its%20on%20our%20roadmap%20to%20add.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi. Is there a way to have MCAS generate an alert or email to indicate SIEM agent status change from "connected" to "disconnected". For example if the agent goes into disconnected or error state for x number of hours. Can an admin alert or email be generated, so that it can investigated and potentially agent restarted by operational teams etc.

 

Thanks.

3 Replies
Hi Max,
an alert is automatically generated in the MCAS console when a connection has been disconnected for over 2 hours.
If you want to receive an email you can email email notifications for system alerts by clicking on your user icon at the top right, clicking on the cogwheel and going to "Notifications".

Regards,
Dima

Thanks - will give this a test. I take it there is no way to centrally define that these SIEM agent type "system alerts" can be eg. sent to a specified separate operations email address instead of the email of the admin who just happens to have enabled the system notification emails ?

Not right now but its on our roadmap to add.