Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Raymondn
Contributor

Smart Event from R77.30 to R80.10

Hi there,

I have been using Smart Event on R77.30 for a few years.  Now that I am running the R80.10 Smart Event, I feel lost here.  The Smart Event policy/event configuration is the same, but I feel that the reporting/log feedback is missing.

I am not able to use the new log screen (SmartLog?) to effectively get the Smart Event 's log I used to get.  There is a "Correlated" report now but it doesn't give me the level of information I used to get.  Perhaps I don't know how to properly get the things setup in R80.10, but even when I try to read the documentation I don't have luck there neither.

Let me use this use-case as an example:

Smart Event - "IP sweep from external network".
Under this event, I add a new condition where if the destination is 172.22.0.0/16, with threshold at 50 logs in 60 seconds.  When this condition is triggered, this event would have severity=high, action=block-4-hours and Email-me.

In R77.30, the event log would allow me to see a list of events trigger.  When look into the event, it should me info such as the following:

Source = 5.6.7.8
Destination = (a list of IP in 172.22.x.x)
Service = ssh
...
Event Name = "IP sweep from external network"
Log Count = 53
Event Action = block / email

This let me has a clear picture how often this event is triggered, who triggered this, and how intensive such scanning is (i.e. 53 SSH scan vs say 200 SSH scan in 1 minute).  It also confirms me that my configuration is in used and that the offending would be block for x hours.  This feedback would let me to turn the event better.

In R80.10, so far I see a Correlated report that provide some info, but not all.  In the new log screen, I can type "IP sweep from external network" as a search and it would give me some info as well.  But I have not figure out a way to get all these info in an efficient and effective manner.

Any comments or feedback here?  Did I overlook something, or the SmartEvent in R80.10 is not a focused feature anymore?

1 Reply
3e988b80-7dfb-3
Employee Alumnus
Employee Alumnus

Hi,

Can you tell what you are missing in the report ? 

What does the log card in the smartlog shows ? Do you see all the different sources ?

Eyal

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events