topic Re: SmartEvent Alert emails missing details in Firewall and Security Management

SmartEvent Alert emails missing details

biskit — Wed, 27 Apr 2022 11:47:31 GMT

I've enabled Anti-Bot email alerts in SmartEvent - all default settings, as follows:

The email alerts I get have very little detail in them. They don't contain any source/destination/attack details, so the emails are zero use to me. E.g:

However the corresponding log card for the issue contains all of the detail, as expected. E.g:

Does anyone know why the emails don't contain the same detail as the logs? Or how to fix it to make the emails useful?

Re: SmartEvent Alert emails missing details

MikeB — Wed, 27 Apr 2022 16:57:57 GMT

Maybe you can try with this sk68020: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk68020

Re: SmartEvent Alert emails missing details

biskit — Thu, 28 Apr 2022 10:12:25 GMT

Thanks for your suggestion. I don't think this is relevant though as it isn't only the username missing - it's all information 😕

Re: SmartEvent Alert emails missing details

Tomer_Noy — Thu, 28 Apr 2022 12:34:17 GMT

I have a hunch for you to try...

The email that you showed has "Log ID = 2000" and "Type = Correlated". That means that the automatic reaction was triggered on a correlated log, instead of on the original Anti-Bot log. The correlated log has only partial information, not the full info of the original log.

Correlated logs aren't meant to be used for automatic reactions or further correlation (it can become recursive...). That's why in SmartEvent Event Policy there is a definition for "Global Exclusions" and the default is to exclude events with "Log ID = 2000" (see screenshot).

Is it possible that you deleted this default filter or deactivated it?

Re: SmartEvent Alert emails missing details

biskit — Thu, 28 Apr 2022 13:15:08 GMT

Hi Tomer, unfortunately that Log ID 2000 rule is already there...

Re: SmartEvent Alert emails missing details

Jarvis_Lin — Thu, 28 Apr 2022 17:49:17 GMT

I have same issue, the mail alert didn't show detail information, could not provide useful info.

Re: SmartEvent Alert emails missing details

shovalm — Sun, 01 May 2022 18:06:39 GMT

Hi @biskit ,

Per the attached screenshot, the "Log Count" value is 1, which means that the correlated event was created by a single update that doesn’t contain all relevant data as the unified log.

My suggestion is to modify the advanced settings of "Bot Incident" event, so the event will kept opened for couple seconds before sending the mail, then we will have more data in the email.
For example :

Let me know if it resolve the issue for you.

Re: SmartEvent Alert emails missing details

Chris_Atkinson — Sun, 01 May 2022 23:43:03 GMT

sk105300 describes a situation that might be worth checking further if you've not already.

Re: SmartEvent Alert emails missing details

biskit — Mon, 02 May 2022 08:30:16 GMT

Hi @shovalm and @Chris_Atkinson, thanks for your suggestions. Neither seem to apply though. See below. The filter is already set on the custom alert... And originally the Log Count was set to 39600 by default. Last night I changed this to 10 as suggested above. As you can see though, I'm still getting emails this morning with no detail in them, and see the times too - it's not like I'm getting a bunch of emails all at the same time, each containing a different bit of the information...

Re: SmartEvent Alert emails missing details

shovalm — Mon, 02 May 2022 12:11:36 GMT

@biskit we want to investigate the issue further, can you please contact Checkpoint support and open a service request for it ?

Re: SmartEvent Alert emails missing details

biskit — Mon, 02 May 2022 13:41:32 GMT

Hi @shovalm, yes of course. I've already got an SR open and a remote session scheduled... I often just post on CheckMates at the same time as I often get faster and more varied responses 😁

Re: SmartEvent Alert emails missing details

Jarvis_Lin — Sat, 14 May 2022 15:34:15 GMT

After trying anything. I gave up set mail alert at SmartEvent.

I wrote a mail alert script and set track action to User Defined at rule and at global properties mail alert.

look like below, it has better visibility than original. I think RD can try to make original mail alert look more better.

Re: SmartEvent Alert emails missing details

George_Casper — Wed, 01 Jun 2022 19:02:02 GMT

Any resolution to this issue? I figured I'd post here and open a SR to see which gets a faster response. Just upgraded management R80.40 from Jumbo 139 to Jumbo 158 and the bot/virus auto-reaction emails are now all blank source/destination IP's immediately following. Didn't update the gateways to jumbo 158 just yet.

Re: SmartEvent Alert emails missing details

Karen_Askelson — Mon, 26 Sep 2022 19:32:35 GMT

Hi bisket, did you ever get a resolution on this from Support? I'm having the same issue on R81.