topic Re: Cef forwarding missing IPS fields in Firewall and Security Management

Cef forwarding missing IPS fields

lmediavilla — Sat, 02 Mar 2024 19:10:16 GMT

Hello,

I have an MDS setup with and MLM applicance. I have a problem in the IPs logs when I forward them using CEF format.
I have the standard file "CefFieldsMapping.xml" under "/opt/CPrt-R81.10/log_exporter/conf"

When I get an event that shows on Sentinel with DeviceProduct as SmartDefense and DeviceEventClassID as IPS I don't get any information from Forensics detail or Advanced Forensics detail.

I get other fields like the Ip addresses CVE action source system... but no forensic information.

Is there a possibility to forward that missing part of the logs?

Kind regards.

Re: Cef forwarding missing IPS fields

Amir_Senn — Tue, 05 Mar 2024 09:01:26 GMT

Thoughts and questions:

a. Same results for raw and semi-unified?

b. Other formats work well or you haven't tried?

c. Mostly under forensics we have pcap and sometimes other information changing from protection to protection. For pcap we have a special flag that adds link to open pcap via SmartView. You can find it and other optional flag in Log Exporter SK under Advanced Deployment - Additional Commands - Parameters.

Hope this at least help in some part.

Re: Cef forwarding missing IPS fields

lmediavilla — Mon, 11 Mar 2024 14:30:52 GMT

Hello,

same result changing emi-unified to raw format

same result in syslog format.

The IPS does not have the forensic fields and the action.

I can add the link to the smartview but that is not what I want. I want the log exported so another tool can check it automatically.

Kind regards.