Question & Answer
Question
If we face a problem with our IBM Resilient threat feeds how do I control whom is sent an email notifying them of the shut off?
Cause
If there is a problem with a threat feed, for example, a license issue affecting IBM X-Force Exchange emails are sent to IBM Resilient users making them aware of the shut off. An example of entries written to /usr/share/co3/client.log is as follows.
20:42:21.600 [Co3Scheduler_Worker-1] ERROR com.co3.threat.Co3ThreatFeed - Disabling SOC's threat feed IBM X-Force Exchange due to missing or invalid license.
20:42:21.613 [Co3Scheduler_Worker-1] INFO com.co3.threat.ThreatServiceBase - ThreatFeed shutoff email has been sent to resilient.api@domain.com
20:42:21.632 [Co3Scheduler_Worker-1] INFO com.co3.threat.ThreatServiceBase - ThreatFeed shutoff email has been sent to resilient.admin@domain.com
20:42:21.638 [Co3Scheduler_Worker-1] INFO com.co3.threat.ThreatServiceBase - ThreatFeed shutoff email has been sent to ben.williams@domain.com
20:42:21.613 [Co3Scheduler_Worker-1] INFO com.co3.threat.ThreatServiceBase - ThreatFeed shutoff email has been sent to resilient.api@domain.com
20:42:21.632 [Co3Scheduler_Worker-1] INFO com.co3.threat.ThreatServiceBase - ThreatFeed shutoff email has been sent to resilient.admin@domain.com
20:42:21.638 [Co3Scheduler_Worker-1] INFO com.co3.threat.ThreatServiceBase - ThreatFeed shutoff email has been sent to ben.williams@domain.com
Answer
The permission "Ability to view and modify:" taken from Administrator Settings - Roles determines who is sent the shut off email.
Shut off emails are sent to deactivated users.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
19 April 2021
UID
ibm11170256