email alert delivery time does not match start time of detections

[copos45]

Orchestrator has been configured to send email notifications but it has been noticed that the emails being sent are often 20min to several hours after the malware detection. The Orchestrator console on the other hand, does match up within a few minutes with the Crowdstrike Falcon Cloud console.

Is there a setting that can be specified to hard-code a window within which email alerts must be sent upon malware detection? And one for the Orchestrator console itself to retrieve data using the Streaming API?

thanks, Chris

[mr-burnse]

It's difficult to determine what the cause of this might be without being able to troubleshoot in your environment specifically. No there's no way to configure this...if email alerting is configured, the client service should be sending an email notification when it processes each event from the streaming API. There could be a number of different reasons for a delay in processing.

[copos45]

Alright I understand there may be something specific to my environment but I’ve checked the time sync settings on the Orchestrator Windows server instance and it is being controlled through Windows Group Policy as designed. I want to stress that the email alerts do function except some arrive within 15min of the malware detection, whereas others take several hours with no clear pattern between the two.

Considering no one seems to be experiencing the same problem, I do not expect a new release/bug fix to be issued. But what is the date for the next release and is there a list of the bugs to be corrected in that release, available?

[mr-burnse]

Can you possibly check your email server logs to see if they're queuing up there? That would help to isolate where the issue lies. There's no targeted date for the next release at this time. Although i'm hoping to have something within the next couple months. Bug fixes to be addressed are currently filed as issues with a tag of "bug".

[mr-burnse]

If you turn the client logging on in debug mode you should get timestamps of when the email is sent....https://github.com/CrowdStrike/falcon-orchestrator/wiki/Installation-&-Deployment#troubleshooting-the-service

[copos45]

Upon advice of email team, using their smtp-relay. Orchestrator is likely not a cause in late alert delivery.