I am not getting anywhere and TAC was unfortunately not able to help either, therefore I hope you can give me hints or a solution.
Is there a way to filter for logs generated by Inspection Settings (this)?
A customer requested the Log Exporting of all Threat Prevention logs and active querying how many logs are created and to look into them once the number of logs exceeds a certain threshold. (The reason and sense behind this is decided by someone above me.)
I configured the LogExporter after sk122323 with "filter-blade-in TP" and everyone was good so far.
Then we started to have a huge difference between SmartConsole/SmartView number of logs (filtering on all TP blades) and the exported number of logs, with the exported being about 10 times as many.
Digging deeper into the logs we found that we had huge amounts of logs created by Inspection Settings (like the ones described in sk36869). But since Inspection Settings are part of the Firewall Access Control Policy, all filters with the Threat Prevention Blades did not return these logs.
Since the Firewall Blade returns a lot of other Drops as well, I was searching for a way to filter on parts of the logs that are only present in the Inspection Settings Logs (like Confidence Level, Severity,...) but that did not work.
Do you have any ideas, hints or tips on how I can filter for these logs?
TAC case only lead to me being told to submit a RFE.
Thanks and BR