We’re delighted to announce an Indeni release. The highlights are the ability to exclude issues items, the ability to specify a new threshold within a rule that triggers an alert, the new OAuth 2.0 authorization with ServiceNow, the new Auto-Triage Elements and the new Auto-Detect Elements.
1. Persistently exclude an issue item
This has been a frequent request and is going to simplify how you handle issue items that are of no interest. When an issue item is excluded, the system will halt email notification and ServiceNow updates about the issue item.
There are a couple of ways to exclude an issue item. The easiest way is from the issue page where you see the issue items. From the issue drawer, you can select the issue item by hovering over the item you wish to exclude and click the blue mark shown as below.
In the next rule evaluation for CP-R80.20-GW8-1, CPU-2 will be excluded from the issue and it will be reflected in the UI. In other words, item 2 will disappear from the UI a couple of minutes later. This will also create an entry in the rule configuration with the exclusion pattern set to “2”. From Knowledge Explorer, navigate to the “High CPU usage per core(s)” rule, click on OVERVIEW, and scroll to the bottom for the Excluded Patterns. You will see the entry “2” (CPU-2) created for CP-R80.20-GW8-1 below.
If you change your mind, you can just remove the entry. You can also exclude multiple issue items. Remember, this will take effect in the next rule evaluation cycle.
Disaster Recovery Use Case
The other option to exclude an issue item is to pre-define a pattern from Knowledge Explorer. Let’s look at an example. You have a disaster recovery strategy in place. Under normal operations, many of the disaster recovery services are not available. For example, the disaster recovery BGP peer is always down, so you want to exclude the peer from the “BGP peer(s) down” alert. To do that, define an exclusion pattern that matches the BGP peer for disaster recovery.
From Knowledge Explorer, navigate to the “BGP peer(s) down” rule, click on OVERVIEW, and scroll to the bottom for the Excluded Patterns, click ADD NEW.
In this example, 10.11.94.61 will be excluded from all the Check Point devices. You can use a wildcard if you want to exclude multiple issue items that share the same prefix. For example, I can define 10.11.* using the same example.
Regular security scanning Use Case
Besides the disaster recovery use case, this new capability enables other interesting use cases. Currently, Indeni alerts when there is a failed login attempt in the /var/log/secure. The logs also provide the source IP where the failed login attempt originates from. You can define the source IP address in the exclusion setting, so the system would not trigger an issue. In most environments today, a scanner regularly attempts to SSH into devices for you. This causes the alert to trigger, thus a false positive. By pre-defining the list of source IP addresses of these scanners, we can effectively enable scanning in your environment.
NOTE: With the introduction of this new feature, we retire the ability to archive an issue item. The rationale is that you can use the new exclude capability to state that you don’t care about a specific issue item. If you change your mind later, you can update the exclusion settings from Knowledge Explorer.
2. Specify a threshold for the number of issue items.
You may have deployed primary and secondary NTP servers in your environment. In some deployments, the secondary NTP address is only reachable when the primary has shut down. In this case, you only want to be notified if all the NTP servers are unreachable. With this release, you can define a custom rule as follows:
By specifying Thresholds = 0, the system will only trigger an issue if all the NTP servers are unreachable.
3. OAuth 2.0 Authorization with ServiceNow
This feature lets you access your ServiceNow instance resources by obtaining a token rather than entering login credentials with each resource access request. For further information, see ServiceNow Integration.
4. New Auto-Triage Elements for Check Point Devices
- OSPF Neighbour down
- Cluster Critical process (pnote problem) down
5. New Auto-Detect Elements for Check Point Management Servers
- SNMPd process down
- Syslog service down
6. New & Enhanced Auto-Detect Elements for Palo Alto Networks Devices
- New Auto-Detect Elements for Palo Alto Networks:
- IPSec tunnel state tracking
- Monitoring BGP Peers vs Group
- Panorama UserID Monitoring
- CVE-2020-2021 PAN-OS: Authentication bypass in SAML authentication (This vulnerability defect has a CVSS 10 severity score, you should review this.)
- Enhancements for Palo Alto Network devices:
- Track DP CPU usage at the plane level instead of core level
- Ability to graph the rx/tx VPN tunnel interfaces
- Ability to visualize bond interface utilization