This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jcallahan
Explorer
‎2021-06-15 07:54 AM

SmartEvent alerting on logs that don't match filter?

I have defined some events in SmartEvent to get alerted when IPS sees traffic that matches a protection that is still staged and not prevented. However, I am getting alerted on traffic that appears to have been prevented by the blade. That does not match what I put in the filter. Any insight on why the traffic is generating an event? I have attached a sample traffic and my defined event.

 

 

Traffic.JPG
Preview file
27 KB
Event.JPG
Preview file
63 KB
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-06-17 11:21 AM

Are both of those IPS events generating alerts?
We would have to see the log card on both to comment further (mask sensitive data if required).

0 Kudos
jcallahan
Explorer
‎2021-06-18 07:04 AM
In response to PhoneBoy

I believe just the correlated log is the one firing off the alert. It makes sense to me that the severity is 4 and the action is blank, so therefore it is NOT prevent. That would make it match the criteria that SmartEvent is looking for. If that's the case, I might have to filter out correlated logs.

Card.JPG
Preview file
162 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-20 06:08 PM
In response to jcallahan

That also makes sense to me as well. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top