I have been using Smart Event on R77.30 for a few years. Now that I am running the R80.10 Smart Event, I feel lost here. The Smart Event policy/event configuration is the same, but I feel that the reporting/log feedback is missing.
I am not able to use the new log screen (SmartLog?) to effectively get the Smart Event 's log I used to get. There is a "Correlated" report now but it doesn't give me the level of information I used to get. Perhaps I don't know how to properly get the things setup in R80.10, but even when I try to read the documentation I don't have luck there neither.
Let me use this use-case as an example:
Smart Event - "IP sweep from external network".
Under this event, I add a new condition where if the destination is 172.22.0.0/16, with threshold at 50 logs in 60 seconds. When this condition is triggered, this event would have severity=high, action=block-4-hours and Email-me.
In R77.30, the event log would allow me to see a list of events trigger. When look into the event, it should me info such as the following:
Source = 18.104.22.168
Destination = (a list of IP in 172.22.x.x)
Service = ssh
Event Name = "IP sweep from external network"
Log Count = 53
Event Action = block / email
This let me has a clear picture how often this event is triggered, who triggered this, and how intensive such scanning is (i.e. 53 SSH scan vs say 200 SSH scan in 1 minute). It also confirms me that my configuration is in used and that the offending would be block for x hours. This feedback would let me to turn the event better.
In R80.10, so far I see a Correlated report that provide some info, but not all. In the new log screen, I can type "IP sweep from external network" as a search and it would give me some info as well. But I have not figure out a way to get all these info in an efficient and effective manner.
Any comments or feedback here? Did I overlook something, or the SmartEvent in R80.10 is not a focused feature anymore?