This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Taney
Advisor
‎2017-12-04 11:50 AM

Custom Report In R80.10 SmartEvent

I am trying to create a customized version of the canned "Threat Prevention" report that focuses only on a specific network group. However, I'm getting an odd result as soon as I try to add the "Source" filter to the "Global" Filter.

To accomplish this, I cloned the supplied "Threat Prevention" report and gave it a different name. Then, I edited the report, and began to modify the Global Filters to drill down on the specific traffic I wanted. The first filter limits the traffic to a single Gateway Cluster based on "Origin". This filter works as expected. With just this filter applied, I still see data appearing in the report.

Then, I try to add on another filter setting "Source" equals "<name of network group object>". As soon as I add this filter and apply, all the data from the report vanishes and is replace with "Query Failed". Oddly, I am able to remove the "Source" filter and instead add "src:<name of network group object>" to the search filter bar at the top and that works. I see exactly the data I want filtered in the report. 

However, we need this report scheduled and run daily. So, I don't want to have to rely on manual generation of this report. Does anyone have any idea what I might be doing wrong? We presently have this same report running in Smart Event NGSE using the same filter logic. Any assistance is greatly appreciated!

R80 CCSA / CCSE
5 Replies
PhoneBoy
Admin
Admin
‎2017-12-04 09:36 PM

I'm inclined to think this is a bug and you should open a TAC case.

Contact Support | Check Point Software 

0 Kudos
Kfir_Dadosh
Collaborator
‎2017-12-05 03:17 PM

Indeed seems like a bug.

You can try to work around it, by selecting "custom filter" in the filter field, and use the same query syntax as you would in the search bar, i.e. src:<group name>

Daniel_Taney
Advisor
‎2017-12-06 08:07 AM
In response to Kfir_Dadosh

Thanks for the feedback. I'll give this a shot today and will likely open a case with TAC regardless.

R80 CCSA / CCSE
0 Kudos
Kaland
Contributor
‎2018-03-22 03:13 AM
In response to Daniel_Taney

Hi, 

Did you open a TAC case on this issue? And if, did you get a answer for this? I'm experiencing the same thing on NGSE edition, and I can't upgrade to R80.10 because of a MultiDomain log limitation. 

When trying to add source field to any of my scheduled reports, no data is visible in the report. Data is visible in report preview, just not in the scheduled report 

0 Kudos
Daniel_Taney
Advisor
‎2018-03-22 05:23 AM
In response to Kaland

The short answer is that I never did open a TAC case for the issue. I just used the workaround suggested by creating the custom filter. 

R80 CCSA / CCSE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events