07-05-2022 09:20 AM
Hello!
I am taking ownership of our SecureX environment and noticed we are almost continuously creating Incidents for known-bad IPs trying to connect to us from the internet. At this point, we have over 30,000 open incidents, and none of them are relevant. What is the best way to prevent this from happening? Personally, I don't think anything getting blocked from the internet should create an Incident. It's already been blocked, it's not an indication of compromise, and if anything it would just be nice to have it logged.
So how can I log this traffic without generating extra noise? Thanks in advance for any help!
DevLop
Solved! Go to Solution.
07-05-2022 09:44 AM
hi @DevLop , you can change the auto-promote rules to not make incidents of every firewall event. Please check here for more info: https://admin.sse.itd.cisco.com/assets/static/online-help/index.html#!t_automatically_promote_events.html
That being said, you might want to consider cleaning up your incident manager after you did so. As this is the developer forum, I will make an automated suggestion, but please be very careful. You can also do this programmatically, via the private intel database API from SecureX. If you wish to delete all of your incidents, you can use this Python script:
https://github.com/CiscoSecurity/tr-04-wipe-private-intel
Please test this first before you test in production. I think you can configure it to just delete your incidents, and not any other private intel database objects (like casebooks and judgements etc).
Another, safer, method is to just select all incidents from the GUI and then close them by changing the status for multiple events. The incidents will still be there, but at least they won't be open.
07-05-2022 09:44 AM
hi @DevLop , you can change the auto-promote rules to not make incidents of every firewall event. Please check here for more info: https://admin.sse.itd.cisco.com/assets/static/online-help/index.html#!t_automatically_promote_events.html
That being said, you might want to consider cleaning up your incident manager after you did so. As this is the developer forum, I will make an automated suggestion, but please be very careful. You can also do this programmatically, via the private intel database API from SecureX. If you wish to delete all of your incidents, you can use this Python script:
https://github.com/CiscoSecurity/tr-04-wipe-private-intel
Please test this first before you test in production. I think you can configure it to just delete your incidents, and not any other private intel database objects (like casebooks and judgements etc).
Another, safer, method is to just select all incidents from the GUI and then close them by changing the status for multiple events. The incidents will still be there, but at least they won't be open.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide