https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114194#M15967 <P>I have not seen any information regarding custom intel feeds through management API, only ioc_feed in article&nbsp;<SPAN>sk132193. However that being said, I have the feed already ingesting through ioc_feeds and am now looking to report back to a logging server via cp_export_log (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk122323" target="_blank">Log Exporter - Check Point Log Export</A>). Really just need any assistance on defining how to filter the cp_export_log to only export on events where an IOC from ioc_feed has been seen. Cheers.</SPAN></P><P>&nbsp;</P> Mon, 22 Mar 2021 05:31:54 GMT sandman 2021-03-22T05:31:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114181#M15959 <P>Hi there,</P><P>I am configuring the importing of custom threat intelligence feeds into the R80.40 checkpoint security gateway.&nbsp;</P><P>I am trying to configure exporting of specific events to a external syslog server.</P><P>If an IOC from from custom threat intelligence feed is seen, I would like the associated event/log sent for this indicator sent to an external syslog server/collector.&nbsp;</P><P>I understand it is possible to send filtered logs to an external syslog server, however I am unsure of the ids/identifiers for the custom threat intelligence feed logs to filter on.&nbsp;</P><P>Does anyone know how to do this?</P><P><SPAN>Cheers,</SPAN></P> Sun, 21 Mar 2021 22:37:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114181#M15959 sandman 2021-03-21T22:37:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114183#M15960 <P>How precisely are you importing the IoCs?<BR />In any case, IoCs are blocked with either Anti-Virus or Anti-Bot.</P> Mon, 22 Mar 2021 00:44:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114183#M15960 PhoneBoy 2021-03-22T00:44:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114184#M15964 <P>Hi there PhoneBoy,</P><P>Unsure what you mean by "How precisely". I am using multiple custom intelligence "ioc_feeds add" commands to pull different IOC types via an API through https from one threat intelligence provider. The organisation who provides the feeds requires reporting on what IOCs from their feed are seen by the checkpoint.</P><P>Is it possible to send logs (from Anti-virus/Anti-bot blades?) to an external syslog server relating to the custom ioc feed IOCSs being seen?</P> Mon, 22 Mar 2021 01:48:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114184#M15964 sandman 2021-03-22T01:48:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114186#M15965 <P>You can also define IoCs via the management APIs, which is different than importing them via ioc_feeds.</P> <P>Each indicator should have a unique name associated with it.<BR />Offhand, I don't remember exactly what field it shows up in.<BR /><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8166">@TP_Master</a>&nbsp;do you happen to know?</P> <P>I would think you could filter based on that (or at the very least the blades used).</P> Mon, 22 Mar 2021 02:12:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114186#M15965 PhoneBoy 2021-03-22T02:12:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114194#M15967 <P>I have not seen any information regarding custom intel feeds through management API, only ioc_feed in article&nbsp;<SPAN>sk132193. However that being said, I have the feed already ingesting through ioc_feeds and am now looking to report back to a logging server via cp_export_log (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk122323" target="_blank">Log Exporter - Check Point Log Export</A>). Really just need any assistance on defining how to filter the cp_export_log to only export on events where an IOC from ioc_feed has been seen. Cheers.</SPAN></P><P>&nbsp;</P> Mon, 22 Mar 2021 05:31:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114194#M15967 sandman 2021-03-22T05:31:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114403#M15997 <P>Hi there&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>, did you or anyone manage to find out info to be used in "cp_export_log" command&nbsp; to send events relating to and ioc_feeds being seen?</P> Tue, 23 Mar 2021 20:47:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114403#M15997 sandman 2021-03-23T20:47:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114405#M15998 <P>Nothing that specifically covers this.<BR />The approach I would take to find out is to see what log field(s) contain information related to the IoCs (mostly likely the “unique name” of the IoC, as noted in the IoC file).<BR />Then you should be able to filter based on the contents of that field and the blades I mentioned.</P> Tue, 23 Mar 2021 21:16:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exporting-logs-from-custom-threat-intelligence/m-p/114405#M15998 PhoneBoy 2021-03-23T21:16:57Z