cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1042
Views
5
Helpful
1
Replies

NGFW Blocks creating Incidents

DevLop
Level 1
Level 1

Hello!

 

I am taking ownership of our SecureX environment and noticed we are almost continuously creating Incidents for known-bad IPs trying to connect to us from the internet. At this point, we have over 30,000 open incidents, and none of them are relevant. What is the best way to prevent this from happening? Personally, I don't think anything getting blocked from the internet should create an Incident. It's already been blocked, it's not an indication of compromise, and if anything it would just be nice to have it logged.

 

So how can I log this traffic without generating extra noise? Thanks in advance for any help!

 

DevLop

1 Accepted Solution

Accepted Solutions

chrivand
Cisco Employee
Cisco Employee

hi @DevLop , you can change the auto-promote rules to not make incidents of every firewall event. Please check here for more info: https://admin.sse.itd.cisco.com/assets/static/online-help/index.html#!t_automatically_promote_events.html

 

That being said, you might want to consider cleaning up your incident manager after you did so. As this is the developer forum, I will make an automated suggestion, but please be very careful. You can also do this programmatically, via the private intel database API from SecureX. If you wish to delete all of your incidents, you can use this Python script: 


 PLEASE BE VERY CAREFUL WITH THIS SCRIPT!!!  

 

https://github.com/CiscoSecurity/tr-04-wipe-private-intel

 

Please test this first before you test in production. I think you can configure it to just delete your incidents, and not any other private intel database objects (like casebooks and judgements etc).

 

Another, safer, method is to just select all incidents from the GUI and then close them by changing the status for multiple events. The incidents will still be there, but at least they won't be open.

View solution in original post

1 Reply 1

chrivand
Cisco Employee
Cisco Employee

hi @DevLop , you can change the auto-promote rules to not make incidents of every firewall event. Please check here for more info: https://admin.sse.itd.cisco.com/assets/static/online-help/index.html#!t_automatically_promote_events.html

 

That being said, you might want to consider cleaning up your incident manager after you did so. As this is the developer forum, I will make an automated suggestion, but please be very careful. You can also do this programmatically, via the private intel database API from SecureX. If you wish to delete all of your incidents, you can use this Python script: 


 PLEASE BE VERY CAREFUL WITH THIS SCRIPT!!!  

 

https://github.com/CiscoSecurity/tr-04-wipe-private-intel

 

Please test this first before you test in production. I think you can configure it to just delete your incidents, and not any other private intel database objects (like casebooks and judgements etc).

 

Another, safer, method is to just select all incidents from the GUI and then close them by changing the status for multiple events. The incidents will still be there, but at least they won't be open.