https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-ingested-the-checkpoint-firewall-logs-into-cortex-xdr-now-what/m-p/597926#M7184 <P>Hi,</P> <P>&nbsp;</P> <P>Some time ago I connected the CheckPoint Firewalls with Cortex XDR and I can now see the alerts from the Cortex console.</P> <P>&nbsp;</P> <P>My question is, what should I do now with the alerts? Since the FW is generating more than 100 incidents a day.<BR />I had created an exclusion rule for the incidents that are registered as blocked, but this made me lose visibility since the alerts were no longer generated. Therefore I had to remove the exclusion.</P> <P>&nbsp;</P> <P>What do I do with so many incidents generated? How can I manage them better?</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT></P> Mon, 16 Sep 2024 19:46:04 GMT Rolando_Pena 2024-09-16T19:46:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-ingested-the-checkpoint-firewall-logs-into-cortex-xdr-now-what/m-p/597926#M7184 <P>Hi,</P> <P>&nbsp;</P> <P>Some time ago I connected the CheckPoint Firewalls with Cortex XDR and I can now see the alerts from the Cortex console.</P> <P>&nbsp;</P> <P>My question is, what should I do now with the alerts? Since the FW is generating more than 100 incidents a day.<BR />I had created an exclusion rule for the incidents that are registered as blocked, but this made me lose visibility since the alerts were no longer generated. Therefore I had to remove the exclusion.</P> <P>&nbsp;</P> <P>What do I do with so many incidents generated? How can I manage them better?</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT></P> Mon, 16 Sep 2024 19:46:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-ingested-the-checkpoint-firewall-logs-into-cortex-xdr-now-what/m-p/597926#M7184 Rolando_Pena 2024-09-16T19:46:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-ingested-the-checkpoint-firewall-logs-into-cortex-xdr-now-what/m-p/598006#M7194 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/323299">@Rolando_Pena</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Please identify the alert source and module which is generating alerts by filtering on these fields in alerts table. If these alerts are generated by analytics then investigate the alerts and resolve the incidents according to findings. Marking an incident as true positive or false positive helps analytics engine to improve its detections.</P> <P>If alerts are detecting legitimate behaviour then try to create exception/exclusion based on artefacts for the particular XDR module which is generating alerts.</P> <P>If alerts are generated by Checkpoint firewall directly then you need to do tuning on Checkpoint side as well.</P> <P>&nbsp;</P> <P>Please refer to below link on our Alert tuning webinars.</P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-xdr-customer-success-webinar-series-part-1-alert-tuning/ta-p/584842" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-xdr-customer-success-webinar-series-part-1-alert-tuning/ta-p/584842</A></P> <P>&nbsp;</P> <P>Please c<SPAN>lick&nbsp;</SPAN><STRONG>Accept as Solution</STRONG><SPAN>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 17 Sep 2024 14:42:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-ingested-the-checkpoint-firewall-logs-into-cortex-xdr-now-what/m-p/598006#M7194 nsinghvirk 2024-09-17T14:42:58Z