Hello guys,
I'd like to check changes on the Checkpoint firewall logs but I haven't any result :
*index=xxx host=yyy action=accept earliest=-24h@h latest=-20h@h sourcetype=*opsec* | eval src_acc=src | eval dst_acc=dst | eval acc_action=action | join src,dst [search index=xxx host=yyy sourcetype=*opsec* action=drop earliest=-1h@h latest=now src=src_acc dst=dst_acc | eval src_dro=src | eval dst_dro=dst | eval drop_action=action | eval before_time=strftime(_time,"%y/%m/%d %H:%M")] | table _time,src_dro,src_acc,dst_dro,dst_acc,action,before_action,before_time*
Thanks for your help!
↧