Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FirewallGyaan
Contributor

How to Find Who have created SAM rules.

Basically I like to see where details on SAM rule for user/admin who created SAM rules are stored (Not the IPs which are blocked)

I have tried to see Audit Logs, Log, Messaged Files from GW and SMS but no luck. And SAM.DAT fire is Binary file .

 

0 Kudos
6 Replies
the_rock
Legend
Legend

I think audit log should show you that if you search for time frame and rule name.

0 Kudos
FirewallGyaan
Contributor

I did tried to add multiple Selection on Audit logs as you mentioned but no details found . I just tried to reproduce issue in my lab and same no details present anywhere. Please see attachment for Selection criteria.

 

0 Kudos
FirewallGyaan
Contributor

Incase to see issue in detail Please see video : 

https://youtu.be/H4fzfgwFFDQ

0 Kudos
G_W_Albrecht
Legend Legend
Legend

According to sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules, this is only possible if:

- SAM CLI is used

- fw sam is used with option

-e <key=val>+

Specifies rule information based on the keys and the provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:

  • name - security rule name (limited to 100 characters)
  • comment - security rule comment (limited to 100 characters)
  • originator - security rule originator's username (limited to 100 characters)

so the originator is included

---> So what you want can be achieved if SAM rules are only created by CLI scripts embedding the originator

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
FirewallGyaan
Contributor

@PhoneBoy any suggestions here ?

0 Kudos
PhoneBoy
Admin
Admin

If the commands were set using fw sam on the CLI within the standard clish shell, you'll see evidence of this in /var/log/messages like so:

Sep  1 13:26:13 2022 R8120EA clish[30380]: cmd by admin: Start executing : fw sam ... (cmd md5: 70c66e959afe845950934f11615fff55)
Sep  1 13:26:13 2022 R8120EA clish[30380]: cmd by admin: Processing : fw sam -D (cmd md5: 70c66e959afe845950934f11615fff55)

If it was done in SmartConsole, you might find evidence in the Audit logs in SmartConsole (haven't checked).
If it was done via expert mode, unless you've taken steps to explicitly log commands entered there, or you did something like @G_W_Albrecht pointed you to, that information is not logged anywhere, at least as far as I know.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events