Antibot related logs are not appearing in the datamodel results when I run a search query using below datamodel based. Could you please guide me how to fix this issue. Thank you.
| from datamodel:"Intrusion_Detection".AntiBot | search Gateway=xxxxxx
But when I run a search query using below index based, logs are able to see it.
index=checkpoint product=Anti-Bot signature!="" severity IN (High, critical) confidence_level=low
Below is the sample log line.
time=1672655849|hostname=xxxx|severity=High|confidence_level=Low|product=Anti-Bot|action=Detect|ifdir=outbound|ifname=eth3|loguid={0x5127e871,0xbd548381,0xe17d3047,0x8b1277fc}|origin=x.x.x.x|originsicname=CN\=XXXXX,O\=XXXXXX|sequencenum=11|time=1672655849|version=5|dns_message_type=Query|dst=X.X.X.X|lastupdatetime=1672658788|log_id=2|malware_action=Trying to locate a C&C|malware_rule_id={XXXXX}|malware_rule_name=Anti-Bot Prevent Mode|policy=XXXX|policy_time=1668791496|protection_id=XXX|protection_name=XXXXX|protection_type=DNS reputation|proto=17|question_rdata=XXX|received_bytes=0|resource=technetium.network|rule_name=XXX|rule_uid=XXXX|s_port=53361|scope=x.x.x.x|sent_bytes=0|service=xx|session_id={0x63b26e99,0x11,0x5f17f465,0xc5683bca}|smartdefense_profile=XXXX Standard Anti-bot - Prevent|src=x.x.x.x|suppressed_logs=10|tid=57558|layer_name=IPS|layer_name=IPS|layer_name=IPS|layer_uuid={xxxx}|layer_uuid={xxxx}|layer_uuid={xxxx}|layer_uuid={xxx}|layer_uuid={xxxx}|layer_uuid={xxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_name=IPS - Prevent Profile|malware_rule_name=Anti-Bot Prevent Mode|malware_rule_name=IPS - Prevent Profile|malware_rule_name=Anti-Bot Prevent Mode|malware_rule_name=IPS - Prevent Profile|malware_rule_name=Anti-Bot Prevent Mode|smartdefense_profile=XXXX Standard IPS - Prevent|smartdefense_profile=XXX Standard Anti-bot - Prevent|smartdefense_profile=xxxxx Standard IPS - Prevent|smartdefense_profile=xxxxx Standard Anti-bot - Prevent|smartdefense_profile=xxxxx Standard IPS - Prevent|smartdefense_profile=xxxxx Standard Anti-bot - Prevent
"Antibot" is not a standard dataset in the Intrusion_Detection model. Go to Settings->Data models and click on Intrusion Detection. There you will see the available datasets (there are 3 on my system). Have you installed an app that adds "Antibot" to the model? If so, verify it was installed correctly.
Hi,
Thank you for your guidance. Issue is resolved.
"Antibot" is not a standard dataset in the Intrusion_Detection model. Go to Settings->Data models and click on Intrusion Detection. There you will see the available datasets (there are 3 on my system). Have you installed an app that adds "Antibot" to the model? If so, verify it was installed correctly.