This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nicholas_Flood
Employee Alumnus
Employee Alumnus
‎2016-04-27 07:09 PM
Jump to solution

global exclusions

Customer upgraded from R77.30 to R80. Previously, when they add a Global Exclusion in SmartEvent > Policy > Event Policy > Global Exclusions they get asked if they want to run this exception on all previous events as well. Afterwards or from there after, no events matching that criteria show up in SmartEvent. After upgrade, no asking or notification is done. They confirmed that events show up in SmartEvent but mentioned that a custom script that is supposed to email alerts when traffic is detected instead of prevented, doesn't appear to get engaged by the excluded traffic. Likewise, we're confirming that when reports are generated, they don't include any traffic from the exclusions either.

So my question is, did global exclusion in R80 SmartEvent change? Do we still see exclusion traffic in SmartEvent but not past this? Do alerts/reports/etc not "see" the exclusion traffic?

Little extra, I noticed that when we filter for "todays" events, we see what looks like 24 hours worth of events. Does "today" filter by the date or 24 hours within that day and the wording "today" is a little inaccurate?

0 Kudos
1 Solution

Accepted Solutions
Shahaf_Alfasi
Employee Alumnus
Employee Alumnus
‎2016-05-05 08:40 AM
Jump to solution

Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.

R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.

While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10

Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it

Shahaf

View solution in original post

0 Kudos
1 Reply
Shahaf_Alfasi
Employee Alumnus
Employee Alumnus
‎2016-05-05 08:40 AM
Jump to solution

Global exclusion still working in R80, but like in R77 global exclusion is only for Events that were crated by the correlation unit and defined in the SmartEvent policy.

R80 SmartEvent introduce new log and event engine and while R77.30 SmartEvent shows only events that were created by the correlation unit R80 SmartEvent shows logs and events.

While this change make SmartEvent more easy to use, powerful and gave new abilities to system administrator it also introduce some limitations like the limitation you describe that user can't define global exclusion on logs. We are familiar with these limitation and working hard to provide a solution for R80.10

Regarding 'Today' time frame today time frame should show you logs from 00:00:00 the same day if you see logs before 00:00:00 it is a bug and I suggest you'll contact Nir Barel from R&D to investigate it

Shahaf

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top