Hey Sandy Breeze,

I see there are regular uploads conducted, at least one per week.  Are you running complete collections before uploading as well?  Device data, such as alerts and coverage info are updated for devices during the collection process, thus complete collections must be done before uploading to keep the data updated.

Thanks,

Justin

Hi,

The upload job is only triggered after a complete collection run, and that is completing successfully 

Sandy

Sandy,

  Is there a specific PSIRT you are looking for?  I see the Cluster Management one there in All PSIRTs for your account.

Chris

Hi Justin,

Firstly thank you for providing this explanation of the analysis process; it would be beneficial if this was stated in the SNTC supporting documentation.

That said, it is not how I envisaged or hoped the process would work.  The main reason for this is that the dependency on receiving a customer upload in order to trigger the analysis is not ideal.

The statement that the portal will have knowledge of a PSIRT within 24hrs of release is of little use if a customer inventory is only being uploaded once a week.  For many of your customers it is impractical to upload on a daily basis - given the size of our networks ~60K devices.

Whilst I can see the benefit for Cisco in only conducting this activity during the upload process, this will be when the device validation and life-cycle details will be derived.  As these can be viewed as a 'one time' task and are not time sensitive this is fine; but in the case of PSIRT that can be critical with respect to the exposure time, waiting 7 days (given the known delays with processing uploads this can often be 10 days) to obtain the the insight into our exposure to a Cisco declared vulnerability is just not acceptable - it is quicker to conduct this manually!

Therefore I would request that this customer inventory/PSIRT analysis is reviewed and ideally changed to provide the analysis in a time frame appropriate to the severity of the alert, independent of the inventory upload.

Kind Regards,

Graham

Graham,

  Wanted to clarify because I think it is misunderstood.  Any alerts (EOX, FN, PSIRT) available to SNTC will be processed against all customers daily, irrespective of receiving a new upload.  If something isn't shown in SNTC portal, it could be caused by:

• Alert isn't automated yet and not available to SNTC.  Not all FN support automation, Only critical & high SIR PSIRTs are automated, etc.  Some alerts come out in very short notice, such as the CMP one a couple weeks ago.  The customers found out about the same time we found out internally.  So those take a little extra time for the automation pieces to be put in place and can be delayed.  But that is usually the exception to the rule.
• You have no vulnerable devices to an alert
• Failure in processing

Hope that clarifies.  Are there any alerts you think you should be seeing but you are not?

Hello Chris,

Thanks for the clarification, I'm somewhat more reassured.

Obviously where an alert is not applicable to the inventory I wouldn't expect it to be listed.

Regarding the 'failure in processing' case, I assume that this is a failure in processing the inventory upload; again due to this I'd not be expecting to see an entry for a device that isn't known.

In respect of valid cases, I would expect that an alert is known within SNTC and the impact analysis conducted (on customer inventory) at least within 24 hours of its publication.

Rgds,

Graham