Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joe_Hillenbrand
Explorer

How to tell how long a Rule has been disabled

Is there a way through the clash or GUI to tell how long a rule in a policy package has been disabled or even unused?

0 Kudos
4 Replies
Joe_Hillenbrand
Explorer

clish.  not clash.

0 Kudos
PhoneBoy
Admin
Admin

TL;DR: No.

You would have to look at the audit logs to see when a given rule was disabled.

Not sure the hit counts are exposed via the API, but even then it wouldn't show you the last time the rule was hit.

0 Kudos
AlekseiShelepov
Advisor

In the name of the topic you ask how to check when a rule was disabled, but below you ask about a policy package. Then you ask how to check when it was disabled or when was the last hit. It is a bit difficult to understand what exactly information you need.

I assume that you need to check when a rule was disabled in a policy and by GUI you mean one of SmartConsole applications and not Gaia web-interface.

On R77.30:

SmartDashboard > Right mouse click on the rule > Copy Rule UID

SmartView Tracker > Management tab > Paste UID into filter

On R80.10:

SmartConsole > Security Policies tab > Choose the rule > Check in History tab below

or 

SmartConsole > Security Policies tab > Right mouse click on the rule > Copy Rule UID

SmartConsole >  Logs & Monitor tab > New tab > Open Audit Log View > Paste UID in search

0 Kudos
Joe_Hillenbrand
Explorer

Apparently using the logging on 77.10-20 for Rule UID is process intensive and big organizations like ours do not use. it.  Thanks for the help.  R80.10 + will help some

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events