When you enable an ePO Automatic Response for events filtered on a Host IPS property, automatic Threat Notification responses on the ePO server might stop working.
NOTE: Only Automatic Responses from the event group ePO Notification Events and event type Threat are affected. The Detected systems and Status responses are not affected.
Orion.log displays the following every minute:
2013-03-01 11:23:57,865 DEBUG [pool-5-thread-1] time.ClockWatcher - checking if system time changed
2013-03-01 11:24:00,535 DEBUG [mfs:pool-2-thread-6] dispatcher.NotificationDispatcherInternalTask - NotificationDispatcherInternalTask Running...
2013-03-01 11:24:00,535 INFO [mfs:pool-2-thread-6] dispatcher.ThreatNotification - BEGIN Defined at Notification: 1362137040535
2013-03-01 11:24:00,542 ERROR [mfs:pool-2-thread-6] dispatcher.ThreatNotification - Error processing notification. Operation aborted.
com.mcafee.orion.core.query.sexp.SerializationException: Reference to unknown table:epoThreatEvent
at com.mcafee.orion.core.query.QueryEnvironment.getTable(QueryEnvironment.java:164)
at com.mcafee.orion.core.query.QueryEnvironment.cacheColumn(QueryEnvironment.java:120)
at com.mcafee.orion.core.query.QueryEnvironment.getColumnInfo(QueryEnvironment.java:90)
at com.mcafee.orion.core.query.sexp.SexpProp.toSql(SexpProp.java:174)
at com.mcafee.orion.core.query.sexp.ops.SexpIsBlank.toSql(SexpIsBlank.java:57)
at com.mcafee.orion.core.query.sexp.ops.SexpUnaryOperator.toSql(SexpUnaryOperator.java:38)
at com.mcafee.orion.core.query.sexp.ops.SexpNegationOperator.toSql(SexpNegationOperator.java:79)
at com.mcafee.orion.core.query.sexp.SexpList.makeSql(SexpList.java:244)
at com.mcafee.orion.core.query.sexp.ops.SexpBooleanOperator.toSql(SexpBooleanOperator.java:38)
at com.mcafee.orion.core.query.sexp.SexpList.makeSql(SexpList.java:244)
at com.mcafee.orion.core.query.sexp.ops.SexpBooleanOperator.toSql(SexpBooleanOperator.java:38)
at com.mcafee.orion.core.query.sexp.SexpList.makeSql(SexpList.java:244)
at com.mcafee.orion.core.query.sexp.ops.SexpBooleanOperator.toSql(SexpBooleanOperator.java:38)
at com.mcafee.orion.core.query.sexp.ops.SexpWhere.toSql(SexpWhere.java:52)
at com.mcafee.orion.core.query.QueryBuilder.makeQuery(QueryBuilder.java:301)
at com.mcafee.orion.core.query.QueryBuilder.makeQuery(QueryBuilder.java:252)
at com.mcafee.orion.core.query.QueryBuilder.getQuerySQL(QueryBuilder.java:226)
at com.mcafee.orion.core.query.QueryBuilder.getQuerySQL(QueryBuilder.java:83)
at com.mcafee.epo.notifications.dispatcher.ThreatNotification.makeWhereClause(ThreatNotification.java:257)
at com.mcafee.epo.notifications.dispatcher.DefinedAtNotification.execute(DefinedAtNotification.java:46)
at com.mcafee.epo.notifications.dispatcher.NotificationDispatcherService.fireAllEvents(NotificationDispatcherService.java:20)
at com.mcafee.epo.notifications.dispatcher.NotificationDispatcherInternalTask.run(NotificationDispatcherInternalTask.java:34)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:317)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:150)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:98)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:204)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
2013-03-01 11:24:00,543 INFO [mfs:pool-2-thread-6] dispatcher.ThreatNotification - END Defined at Notification: 1362137040543
