09-16-2024 12:46 PM
Hi,
Some time ago I connected the CheckPoint Firewalls with Cortex XDR and I can now see the alerts from the Cortex console.
My question is, what should I do now with the alerts? Since the FW is generating more than 100 incidents a day.
I had created an exclusion rule for the incidents that are registered as blocked, but this made me lose visibility since the alerts were no longer generated. Therefore I had to remove the exclusion.
What do I do with so many incidents generated? How can I manage them better?
09-17-2024 07:42 AM
Hello @Rolando_Pena
Thanks for reaching out on LiveCommunity!
Please identify the alert source and module which is generating alerts by filtering on these fields in alerts table. If these alerts are generated by analytics then investigate the alerts and resolve the incidents according to findings. Marking an incident as true positive or false positive helps analytics engine to improve its detections.
If alerts are detecting legitimate behaviour then try to create exception/exclusion based on artefacts for the particular XDR module which is generating alerts.
If alerts are generated by Checkpoint firewall directly then you need to do tuning on Checkpoint side as well.
Please refer to below link on our Alert tuning webinars.
Please click Accept as Solution to acknowledge that the answer to your question has been provided.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
