Found an interesting event in our IPS that we want to investigate. The IPS is on the internet side of the firewall ( internet <-> IPS <-> FW ). The IPS signature is set to allow currently but is hitting port which should be denied on the FW.
is it possible to search for the IPS event, take the the significant data (timestamp, src IP, dst IP, etc) from the 20-30-ish eventS and automatically populate a search for the FW logs to see if it was allowed or blocked?
I can do it manually but that entails entering several IPs into the various filters and then manually correlating it.-------Posted BY Mike Calvi
Pinned topic search results in another search
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-11-27T18:26:09Z at 2012-11-27T18:26:09Z by SystemAdmin
SystemAdmin 110000D4XK184 Posts
Re: Unfortunately no good way to2012-11-27T18:26:09ZThis is the accepted answer. This is the accepted answer.Unfortunately no good way to automate this today. Best bet is Right Click on each IP and perform the secondary search. Moving forward you could create Building Blocks for each of the actions and search for events that matched both Building Blocks.
Posted By scott.vanwart