This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Advisor
Advisor
‎2023-01-12 10:55 AM

Incident Viewed in audit logs by WEB_API

SMS R81.10 Take 81.

 

The audit log is filled with Incident Viewed entries by WEB_API.

 

There's no DLP or 3rd-party API connecting to the SMS, but SmartEvent is active.

 

The closest WEB_API information I found is sk179685 but it's not matching these events.

Here's an example of log. Is there somewhere a description of this activity?

Time: 2023-01-12T18:00:40Z
Id: 0a16fa71-c926-bc13-63c0-4ac866e50000
Sequencenum: 1
Operation: Incident Viewed
Administrator: WEB_API
Machine: 127.0.0.1
Subject: Logging
General Information: Administrator: WEB_API; Incident: time1673544661.id2<xxxx>.blade02; gateway: <name_of_gateway>
Operation Number: 58
Client IP: 127.0.0.1
Sendtotrackerasadvancedauditlog:0
Type: Audit
Application: WEB_API
Origin: <SMS_NAME>
Product Family: Network
Marker: @A@@B@1673478001@C@178
Log Server Origin: <SMS_IP>
Origin Log Server IP: <SMS_IP>
Severity: Informational
Stored: true

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2023-01-12 01:57 PM

I presume it's related to this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
No action needs to be taken.

(1)
Alex-
Advisor
Advisor
‎2023-01-13 01:27 AM
In response to PhoneBoy

The SK, which I mentioned, is not about the same message. The Incident Viewed messages keep happening in that particular installation quite frequently, I don't see it anywhere else. If it's related, the SK should be expanded to include WEB_API functions as for now the customer might be inclined to think there are issues with their systems.

incidentviewed.png

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-13 09:24 AM
In response to Alex-

Please open a TAC case and have them investigate to ensure it's the same issue.

0 Kudos
Alex-
Advisor
Advisor
‎2023-01-14 02:48 AM
In response to PhoneBoy

Thats what I did, initial investigations point to DLP which is not and has never been used in that setup.

I will update this post when there are more findings.

0 Kudos
the_rock
Legend
Legend
‎2023-01-14 05:59 AM
In response to Alex-

Yeah, definitely keep us posted how this ends up and what TAC tells you.

0 Kudos
Noa_Moe
Participant
‎2023-08-24 03:46 PM
In response to PhoneBoy

I have the same issue and it is more that it is filling logs with info we don't want. Can we turn off logging just for the administrator WEB_API? 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-24 03:54 PM
In response to Noa_Moe

Not that I'm aware of.
Having said that, perhaps the TAC might be able to offer something: https://help.checkpoint.com 

Alex-
Advisor
Advisor
‎2023-08-24 10:17 PM
In response to Noa_Moe

Do you have a Log Exporter? I did a TAC case for this at the time but I got referred to the WEB_API Log In/Log Out SK and given the workload didn't have the time to dig in but since the later SMS updates this log doesn't appear anymore where it used to.

0 Kudos
the_rock
Legend
Legend
‎2023-01-12 03:02 PM

@PhoneBoy is right. Had case like that with TAC once and thats exactly what they provided, also after consulting with R&D.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events