Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

I ingested the Checkpoint firewall logs into Cortex XDR, now what should I do?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

I ingested the Checkpoint firewall logs into Cortex XDR, now what should I do?

L1 Bithead

Hi,

 

Some time ago I connected the CheckPoint Firewalls with Cortex XDR and I can now see the alerts from the Cortex console.

 

My question is, what should I do now with the alerts? Since the FW is generating more than 100 incidents a day.
I had created an exclusion rule for the incidents that are registered as blocked, but this made me lose visibility since the alerts were no longer generated. Therefore I had to remove the exclusion.

 

What do I do with so many incidents generated? How can I manage them better?

 

Cortex XDR

1 REPLY 1

L4 Transporter

Hello @Rolando_Pena 

 

Thanks for reaching out on LiveCommunity!

Please identify the alert source and module which is generating alerts by filtering on these fields in alerts table. If these alerts are generated by analytics then investigate the alerts and resolve the incidents according to findings. Marking an incident as true positive or false positive helps analytics engine to improve its detections.

If alerts are detecting legitimate behaviour then try to create exception/exclusion based on artefacts for the particular XDR module which is generating alerts.

If alerts are generated by Checkpoint firewall directly then you need to do tuning on Checkpoint side as well.

 

Please refer to below link on our Alert tuning webinars.

https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-xdr-customer-success-webinar-series-...

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

 

 

  • 362 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!