Article Number
000001427
Applies To
RSA Product Set: NetWitness Endpoint
RSA Product/Service Type: ConsoleServer, SMTP
RSA Version/Condition: 4.4.x
Platform: Windows
Issue
When the SMTP server is not reachable, is down or otherwise not operating correctly, alerts may be generated and sent but never reach their intended destination.
When this happens, no messages are sent to analysts for triggered IIOC events. A method to try and recover these alerts needs to be documented for recovering those emails.
Cause
There are many, simple reasons for this happening, including network errors, SMTP server powered down or unstable, or issues on the ConsoleServer that prevent the emails from being sent.
Resolution
The RSA NetWitness Endpoint server has a daily maintenance schedule that runs Monday-Thursday and a deep cleaning that runs Friday-Saturday. During either of these maintenance periods, if a compiled alert is marked as processed by the SQL database, these events will be purged as part of the daily maintenance process to clear space on the SQL server. So there is a relatively short window to try and recover these emails. To search for existing emails:
SELECT
ca.EventData
FROM
dbo.CompiledAlerts AS ca WITH(NOLOCK)
This will provide a binary blob that can be converted from hex into readable format. To do so requires a conversion tool such as Hexplorer to convert into the appropriate format. It is not in a nice output like the emails, but is readable and would provide the output expected in those emails.
Workaround
Other than the above method, there is no other method to recover sent email alerts that have failed to reach their destination address.
