One thing we do is try to see what rules are being hit the most or taking up the majority of the bandwidth of our Gateways. Originally with the OPSEC LEA, we were able to search this in the exported logs using the "match_table_rule_name" field since it gave us the results on the matches, whether they were rules inside inline layers or not. They would be formatted like this:
- match_table_rule_name: "Allow all DNS from internal DNS servers"
- match_table_rule_name: "Inline layer for production anonymization blocking(+)Allow from production Windows servers to patching endpoints"
Now using Log Exporter, these values are split to make a multi-valued field so that when we search by "rule_name" we get two values. The above values now appear like this:
- rule_name:
- "Allow all DNS from internal DNS servers"
- "Allow all DNS from internal DNS servers"
- rule_name:
- "Inline layer for production anonymization blocking"
- "Allow from production Windows servers to patching endpoints"
This is making our searching more complicated and we're not entirely sure that we're getting all of the results back that we want to without unintentionally including too much/too little information.
The same came be said for other fields and values from the match_table.
We're currently on R80.40 Take 156.