For a Cisco device, you should be able to track when policy changes are being made and look for the 'shun' command being ran. Or, shunned IPs should trigger a different block message than regular blocked traffic, and you could track that.
Thanks for the information.
Yes it is a Cisco - I do not have access to our firewall and the network engineer is not here to query this with
I am just looking at "All Firewall Events" in LEM - checking event info...any idea what the "event info" is for a shun? I can see "ACL Inside Access in Denied TCP Packet" - this could be it?
With the Cisco device, if traffic is shunned, it should generate a different message than the ACL blocks. The event you pasted, "ACL Inside Access in Denied TCP Packet," is telling you that your "Inside Access in" is what blocked the traffic. A shun is a little bit different.
Looking at the shun command, you can't actually turn off logging (some firewalls let you turn off logs for blacklisted/shunned IPs), so you should see messages if a shun is hit.
Here's some thoughts of messages to look for, from Cisco ASA Series Syslog Messages - Syslog Messages 101001-520025 [Cisco ASA 5500-X Series Firewalls] - Cisco
401002 - Shun Added
Error Message %ASA-4-401002: Shun added: IP_address IP_address port port
401003 - Shun Deleted
Error Message %ASA-4-401003: Shun deleted: IP_address
401004 - Shunned traffic detected
Error Message %ASA-4-401004: Shunned packet: IP_address = IP_address on interface interface_name
You will see these strings - 401002, 401003, 401004 - in the ProviderSID field coming from LEM. It should include literally "ASA-4-401004" but if someone has changed the severity manually the 4 will be something else. Easiest approach is probably to clone your firewall filter or create a new one that looks for "Any Alert.ProviderSID = *40100*" (or explicitly 401004, 401003, or 401002 depending on what you want to look for).
The firewall reporting the shun should be the DetectionIP field. If you look at the events in the LEM console, you should be able to tell if it's the IP or name of the device being reported. (You could potentially use the ToolAlias field and look for something like Cisco* if you wanted to look for ALL firewalls.)