Yah, the UI is still 1000 max result. That is very bad. boooooooooooooo
Original Message:
Sent: 1/9/2025 11:44:00 AM
From: Thomas Anderson
Subject: RE: IP address of connection
One of the API endpoints exposes an interface to query the Message Audit Log (MAL), the CLI (roughly equivalent) command would be the "malquery" command.
Also want to call out that the override to the 1000 result limit you mentioned is available via the "-m" or "--max" options of the malquery CLI command.
Details about the REST API endpoints, is available in the product documentation at:
https://techdocs.broadcom.com/us/en/symantec-security-software/email-security/messaging-gateway/10-9-0/Administration---Settings/smg-rest-api.html
Original Message:
Sent: Jan 08, 2025 04:30 PM
From: Andrey Fyodorov
Subject: IP address of connection
Is there a command line for this REST API ?
Original Message:
Sent: 1/8/2025 3:55:00 PM
From: Thomas Anderson
Subject: RE: IP address of connection
There is also the REST API to query MAL that was introduced. It doesn't have any restriction on number of responses.
Original Message:
Sent: Jan 08, 2025 12:05 PM
From: alexander-smg
Subject: IP address of connection
Nope, 1000 is the max.
Original Message:
Sent: 1/8/2025 10:58:00 AM
From: Andrey Fyodorov
Subject: RE: IP address of connection
Exactly. Although somewhere in the settings you can configure SMG to return more than 1000 audit log search results per scanner, with a warning that it could negatively impact performance.
Original Message:
Sent: 1/8/2025 10:33:00 AM
From: alexander smg
Subject: RE: IP address of connection
Unclassified | Non classifié
The issue with smg u can't get more than a 1000 results per scanner with is so ****.
Original Message:
Sent: 1/8/2025 10:31:00 AM
From: Andrey Fyodorov
Subject: RE: IP address of connection
It worked for me a bunch of times.
The search like this may produce too many results, depending on how busy and how "popular" your SMG is. Ours gets bombarded with thousands of connections per minute. So in our case when we do searches like this, we have to really narrow down the time range of the search.
Original Message:
Sent: 1/8/2025 10:13:00 AM
From: alexander smg
Subject: RE: IP address of connection
Unclassified | Non classifié
That "may" work. Hmm🤔
Original Message:
Sent: 1/8/2025 9:39:00 AM
From: Andrey Fyodorov
Subject: RE: IP address of connection
Search by Connection IP and put in a single dot in the search criteria field. Every IP has a dot in it. So the search will find all the connections.
You can also add optional search criteria based on Verdict, like "The sender's IP address is in the Symantec Global Bad Senders List" or "The connection was blocked by Connection Classification".
Original Message:
Sent: 1/8/2025 8:43:00 AM
From: reza akhlaghy
Subject: RE: IP address of connection
I think I didn't describe the problem properly:
in a specific time frame, we have huge number of Bad IP Reputation blocks. I want to see who they are. Message Audit Logs can only search for a Connection IP if you know it.
Original Message:
Sent: Jan 08, 2025 08:11 AM
From: alexander smg
Subject: IP address of connection
Unclassified | Non classifi?
Yes. The Audit logs.
Original Message:
Sent: 1/8/2025 7:30:00 AM
From: reza akhlaghy
Subject: IP address of connection
Hi,
Is there any way to see the IP address of connection which is being dropped due to Bad reputation?