Hi CheckMates,
We're using custom IOC feeds to block malicious IP's / domain names / URL's / file hashes etc. via the AV blade. This works very well, however I'm unable to get SmartEvent to fire an alert when traffic is blocked.
This is how the event card looks in SmartView:
I'm trying to construct an Event Filter in SmartEvent and I've configured it as per below:
Event Product: Check Point Anti-Virus
Log Fields: indicator_name Equal InfinitySOC_Prevent_https
Match: All Conditions
Count Logs: a single log
Event Format: indicator_name checked
GUI representation: Threshold section ticked
To my mind this should be correct, but still I can't get notifications to fire. Any suggestions?
Hi Ruan,
I don't know about SmartEvent, but assuming you're using Infinity NDR to manage your IOC feeds and analyze your logs, you can configure a notification using the SmartEvent filter language. For example, the following notification was defined on the Infinity NDR TechPoint demo, triggering on at least 5 indicator matches in a 24 hour period:
| User | Count |
|---|---|
| 14 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 |
Fri 10 Jan 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 32: Infinity External Risk Management (CyberInt)Fri 10 Jan 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 32: Infinity External Risk Management (CyberInt)
