smartevent correlation unit problem

portfast · ‎2024-11-22

Hi all, i've been configuring for an event on my smartevent server that detects when 10 address spoofing logs in 20 seconds. But i can't get daily notification mails for specified ip addresses as i want with this settings, am i missing something? thanks,

PhoneBoy · ‎2024-11-22

SmartEvent works with Session logs by default.
For regular rules, you can turn them into Session logs with: https://support.checkpoint.com/results/sk/sk150452

Not sure if you can do this with Anti-Spoofing since that’s a Connection log and there’s no explicit rule.
Might require checking with TAC.

the_rock · ‎2024-11-23

Does evstop; evstart help at all?

Amir_Senn · ‎2024-11-24

The correlated event is generated and the issue is the email notification?

Can you share the automatic reaction you attached to the event?

Kind regards, Amir Senn

portfast · ‎2024-11-24

actually it correlates and sends automatic reaction via email when i install the event policy but never correlates and sends notification again even though it exceeds the treshold values

Amir_Senn · ‎2024-11-27

Is it out of the box event or something new that you created?

Kind regards, Amir Senn

Are you a member of CheckMates?

smartevent correlation unit problem