TechTalk:
New MITRE ATT&CK Extension
CheckMates Go:
MITRE Engenuity ATT&CK Evaluation Part 1
May The Fourth
CloudMates Live Show
The Premiere Event for Transforming Enterprises
to the Hybrid Data Center
Check Point Named in Gartner Market
Guide for Mobile Threat Defense 2021
End of Support Policy Update
For R80.10 Release
Nicholas_Flood
Customer upgraded from R77.30 to R80. Previously, when they add a Global Exclusion in SmartEvent > Policy > Event Policy > Global Exclusions they get asked if they want to run this exception on all previous events as well. Afterwards or from there after, no events matching that criteria show up in SmartEvent. After upgrade, no asking or notification is done. They confirmed that events show up in SmartEvent but mentioned that a custom script that is supposed to email alerts when traffic is detected instead of prevented, doesn't appear to get engaged by the excluded traffic. Likewise, we're confirming that when reports are generated, they don't include any traffic from the exclusions either.
So my question is, did global exclusion in R80 SmartEvent change? Do we still see exclusion traffic in SmartEvent but not past this? Do alerts/reports/etc not "see" the exclusion traffic?
Little extra, I noticed that when we filter for "todays" events, we see what looks like 24 hours worth of events. Does "today" filter by the date or 24 hours within that day and the wording "today" is a little inaccurate?
Shahaf_Alfasi
Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.
R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.
While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10
Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it
Shahaf
Shahaf_Alfasi
Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.
R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.
While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10
Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it
Shahaf
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY