topic Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM in Firewall and Security Management

[Smart-1 Cloud] - Log and Event Configuration for SIEM

lucasfn — Mon, 10 Nov 2025 13:02:14 GMT

Hello community,

I would like to know if it's possible to make changes to what can be sent to a SIEM server, similar to what is done in LogExporter, but using Smart-1 Cloud.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

PhoneBoy — Tue, 11 Nov 2025 01:38:01 GMT

As I recall, you have to modify some .xml and/or config files.
That would have to be handled by TAC.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Tue, 11 Nov 2025 01:51:49 GMT

You can set it up from S1C portal. Will verify tomorrow and update you.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

lucasfn — Tue, 11 Nov 2025 13:28:00 GMT

Hi the_rock

Thank you for your support. I wanted to see if this is possible because I want to improve the volume of events that the SIEM is receiving. I've only seen this in an on-premise management system, but I've never done it in the smart-1 cloud.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Tue, 11 Nov 2025 13:29:35 GMT

Sorry mate, forgot to take a screenshot, give me 10-15 mins, will check it and update you.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Tue, 11 Nov 2025 13:35:33 GMT

Here it is.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

lucasfn — Tue, 11 Nov 2025 13:46:44 GMT

the_rock, I really appreciate your help.

But what I really need is to configure what should be sent.

For example:

The SIEM is receiving these columns: origin, destination, port, blade, action, date and time.

I want to edit and send only the columns: origin, port, date and time.

In LogExporter I know we can edit a file (.xml), it has some limitations, but I know it's possible and I also wanted to know if this is possible in Smart-1 Cloud.

I apologize if I wasn't clear before.

I'll leave the link to the configuration I want to make, comparing it with LogExporter:

https://sc1.checkpoint.com/documents/Log_Exporter/EN/Content/Topics/Filter-Configuration.htm

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Tue, 11 Nov 2025 13:50:21 GMT

K, got it! Then @PhoneBoy was correct. Ask TAC once you open the case to check below file on backend and modify whats needed:

[Expert@CPHQVMFWMGT01:0]#

[Expert@CPHQVMFWMGT01:0]# cd /opt/CPrt-R81.20/log_exporter/targets/

[Expert@CPHQVMFWMGT01:0]# ls

CheckPointLogs

[Expert@CPHQVMFWMGT01:0]# cd CheckPointLogs/

[Expert@CPHQVMFWMGT01:0]# vi targetConfiguration.xml

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Tue, 11 Nov 2025 13:51:36 GMT

@lucasfn

Example from my lab:

[Expert@CP-MANAGEMENT:0]# find / -name targetConfiguration.xml
/opt/CPrt-R82/log_exporter/targets/test-log/targetConfiguration.xml
/opt/CPrt-R82/log_exporter/targets/SentinelOne-XDR/targetConfiguration.xml
[Expert@CP-MANAGEMENT:0]#

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Wed, 12 Nov 2025 01:16:06 GMT

Hey mate,

Let me know what fields you need changed and I can verify in my lab for you.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

lucasfn — Wed, 12 Nov 2025 14:17:01 GMT

Hi the_rock,

Well, I'm still coordinating with the SIEM team on what they need from their side. But this is the information they've given me so far.

Header{
    CEF:0| - log type - necessary
    Check Point| - Vendor - necessary
    VPN-1 & FireWall-1| - Product - necessary
    Check Point| - manufacturer - necessary
    Accept| - action - necessary
    https| - protocol - necessary
    Unknown| - accountname - não mencionado nos casos de uso, but it may be linked to cases of account manipulation and/or modification of rules or policies.
}

Body{
act=Accept - action - necessary
deviceDirection=0 - unknown - not mentioned in the use cases
rt=1762518075000 - timestamp - necessary
spt=30071 - necessary
dpt=443 - necessary
cs2Label=Rule Name - necessary
cs2=Implied Rule - necessary
layer_name=Policy_XX Network - necessary
layer_uuid=32e912aa-dd67-4ba5-ad4e-2f122c69d987 - necessary
match_id=0 - unknown - not mentioned in the use cases
parent_rule=0 - unknown - not mentioned in the use cases
rule_action=Accept - necessary
rule_uid=0E3B6801-8AB0-4b1e-A317-8BE33055FB43 - necessary
ifname=DMZ - necessary
logid=0 - unknown - not mentioned in the use cases
loguid={0x462342d,0x62ac842e,0xbc016d08,0xb5efa7c3}
origin=x.x.x.x - necessary
originsicname=CN\=FW-XX-1600,O\=Management_Service..cnupe4 - hostname and host domain - necessary
sequencenum=98 - unknown - not mentioned in the use cases
version=5 - unknown - not mentioned in the use cases
dst=x.x.x.x - necessary
inzone=External - necessary
outzone=Local - necessary
product=VPN-1 & FireWall-1 - necessary
proto=6 - unknown - not mentioned in the use cases
service_id=https - necessary
src=x.x.x.x - necessary
}

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Wed, 12 Nov 2025 14:25:53 GMT

Here is what it looks like in my lab:

[Expert@CP-MANAGEMENT:0]# more /opt/CPrt-R82/log_exporter/targets/SentinelOne-XDR/targetConfiguration.xml
<?xml version="1.0" encoding="utf-8"?>
<export id="targetObjectUID">
<version>9</version> 
<is_enabled>true</is_enabled>

<destination type="syslog"> 
<ip>172.16.10.108</ip>
<port>8002</port>
<protocol>udp</protocol>
<local_addr_ip></local_addr_ip>

<transport>
<security></security>

<pem_ca_file></pem_ca_file>
<p12_certificate_file></p12_certificate_file>
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>
</transport>
<reconnect_interval></reconnect_interval>
</destination>

<data_enrichment>
<export_domain>false</export_domain>
<export_orig_log_server>false</export_orig_log_server>
</data_enrichment>

<dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter>

<source>
<log_files>1</log_files>
<log_types></log_types>
<folder></folder>
<read_mode>semi-unified</read_mode>
</source>
<export_log_position>false</export_log_position> 
<export_log_link>false</export_log_link> 
<export_attachment_link>false</export_attachment_link> 
<export_link_ip></export_link_ip> 
<export_attachment_ids>false</export_attachment_ids> 

<format type="syslog"> 
<resolver>
<mappingConfiguration></mappingConfiguration>
<exportAllFields>true</exportAllFields> 
</resolver>

<formatHeaderFile></formatHeaderFile>
</format>

<time_in_milli>false</time_in_milli>

<skip_failed_logs>false</skip_failed_logs>

<filter filter_out_by_connection="false">
<field name="product">
<value>VPN-1 & FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
<field name="fw_subproduct">
<value>VPN-1 & FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
</filter>

</export>

[Expert@CP-MANAGEMENT:0]#

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

lucasfn — Wed, 12 Nov 2025 15:10:18 GMT

Is this the default result, or did you apply any filters to what should be sent? If not, can we modify this file without causing any errors in sending it to the SIEM?

I remember reading in LogExporter that it has some limitations for certain filters. I wanted to know if you applied any, and if so, did you follow any documentation?

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Wed, 12 Nov 2025 15:13:07 GMT

It is something my colleague configured in the lab, but it was not changed afterwards. This is what it looks like from smart console.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

lucasfn — Wed, 12 Nov 2025 15:20:56 GMT

Interesting.

I didn't know it was possible to access the Smart-1 Cloud through the Smart Console. This is my first time experiencing this, and it has raised some questions.

If this is possible, I believe the logic for using LogExporter is the same for cloud management. But I confess that without documentation or a direct confirmation from Check Point, I'm hesitant to perform these configurations on a Smart-1.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Wed, 12 Nov 2025 15:34:02 GMT

No worries my friend, I was new to S1C back in 2019, now I feel Im an expert lol. Here is the guide:

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-Guide/Topics-Smart-1-Cloud/Overview.htm

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Wed, 12 Nov 2025 17:48:11 GMT

Please refer to below, mate. Its pretty straight forward and easy to set up...well, as they say, everything in life is easy when you know it : - )

Anyway, message me directly if you need help.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

lucasfn — Wed, 12 Nov 2025 18:24:38 GMT

Thank you very much for your help, the_rock. I've been working with Check Point for 4 years, but I'd never accessed a Smart-1 before.

Since you posted both sides of the issue, it raised another question for me.

If I configure something through the Smart-1 Cloud via the web using the forward to SIEM option and apply it, will that same configuration be visible through the Smart Console?

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

the_rock — Wed, 12 Nov 2025 18:28:23 GMT

Yea, 100%. Just remember, the ONLY thing you cant access when it comes to S1C is ssh, which is only available to TAC, but lets be honest, you literally never need that anyway. For what is worth, I always bring up same argument to people thinking about getting smart-1 cloud...say someone inadvertently makes a change on onprem mgmt they are not supposed to, well, if device is few hours away and no one on site, wont be fun day/night for anyone. With cloud, thats never a concern, as you can log in from any computer in the world with Internet access and revert any changes. Plus, CP maintains the software updates and backups are also always there, so it truly gives you piece of mind.

Re: [Smart-1 Cloud] - Log and Event Configuration for SIEM

lucasfn — Wed, 12 Nov 2025 18:33:30 GMT

So all the tests you were running weren't directly from an SSH connection to the Smart-1?

Because I was hoping I could access the expert mode of that Smart-1 and edit the file to perform the filtering of the columns that my SIEM team wants to receive.