topic New Splunk App for Check Point Logs in Firewall and Security Management

New Splunk App for Check Point Logs

Dan_Zada — Tue, 22 Jun 2021 21:02:56 GMT

Hello all,

I’m happy to announce about a new Splunk app for Check Point logs.

Check Point brings you an advanced and real-time threat analysis and reporting tool for Splunk. The Check Point App for Splunk allows you to respond to security risks immediately and gain network true insights.

You can collect and analyze millions of logs from all Check Point technologies and platforms across networks, Cloud, Endpoints and Mobile.

(view in My Videos)

Key features are:

Infinity Dashboards
- General overview
- Top attacks
- Detected and prevented events
- Events timeline
- Blades statistics
Cyber Attack View – a unique ability to aggregate Check Point events per attack vector (cross all blades)
- Reconnaissance actions against the network
- Delivery methods
- Malicious emails
- Malicious file download
- Server Exploit
- Infected hosts
SandBlast Events – predefined aggregation for mail and web attack vectors
CIM Support – Check Point logs are mapped into CIM (Common Information Model) and can be analyzed using standard dashboards (such as Splunk Enterprise Security)
More information on CIM can be found here: https://docs.splunk.com/Documentation/CIM/4.12.0/User/Overview
Fast Deploy – an easy and fast deployment using the new Log Exporter

The app can be downloaded from Splunk base: Check Point App for Splunk | Splunkbase

User Guide – https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm
SK about the Log Exporter – http://supportcontent.checkpoint.com/solutions?id=sk122323

For any question, comment or suggestion, please contact cp_splunk_app_support@checkpoint.com.

Thank you!

Dan Zada, Group Manager.

Re: New Splunk App for Check Point Logs

Jack_Shultz — Tue, 13 Nov 2018 19:33:38 GMT

Do we have to use the new Log Exporter to take full advantage of the new Splunk App?

Re: New Splunk App for Check Point Logs

Dan_Zada — Wed, 14 Nov 2018 07:19:42 GMT

Yes, you have to use the new log exporter.

Re: New Splunk App for Check Point Logs

D_W — Wed, 14 Nov 2018 19:58:39 GMT

Can I not use SmartReport to generate such kind of Views/Reports? I do not get the point why to use splunk? Maybe you can explain more specific

Re: New Splunk App for Check Point Logs

Dan_Zada — Thu, 15 Nov 2018 06:57:54 GMT

SmartEvent has most of those views out of the box.

Many customers are using Splunk as another place to keep logs related to ALL security and IT vendors. This is why we created this integration and allowed our customers to export the logs using the log exporter to any SIEM vendor.

Re: New Splunk App for Check Point Logs

Yemi_Awojide — Thu, 15 Nov 2018 14:36:09 GMT

I have a few questions:

1. Is Splunk multivendor compatible

2. Do it require additional license to run Splunk App?

3. Can it also be used to pull out health check reports on physical & virtual firewalls/VPNs? (CPU, Memory Utilization, disk space, traffic volume and availability etc)

Re: New Splunk App for Check Point Logs

Nüüül — Thu, 15 Nov 2018 17:21:58 GMT

Awesome! Thanks for sharing!

Re: New Splunk App for Check Point Logs

DeletedUser — Fri, 16 Nov 2018 18:05:00 GMT

and a Log Exporter version that supports the new "splunk" format and sending logs in semi-unified mode.

R80.20 Jumbo Take 5 or higher, (sk137592)
R80.10 Jumbo Take 56 or higher, (sk116380)
R77.30 Jumbo Take 292 or higher, (sk106162)

Re: New Splunk App for Check Point Logs

Dan_Zada — Sun, 18 Nov 2018 07:47:24 GMT

1. Our Splunk app is working on top of Check Point logs.

2. Not that I know of.

3. No, you can only pull logs

Re: New Splunk App for Check Point Logs

c9a127e7-d053-3 — Wed, 05 Dec 2018 05:12:35 GMT

We've been using the Log Exporter for a few months now. The Checkpoint logs are getting forwarded to a central syslog sever (rsyslog) and then forwarded to splunk (also via syslog). We've written a custom Splunk checkpoint app to split the fields and using the QOS Dashboards for some nice graphs.

When reading the instructions for the Checkpoint App for Splunk, it mentions using a "splunk" format (which I don't think got mentioned in the original Log Exporter article):

cp_log_export add name my_exporter target-server 192.168.1.1 target-port 12001 protocol tcp format splunk read-mode semi-unified

My questions are:

Can we still use the central syslog server as an intermediate step before shipping the logs to Splunk using the "splunk" format?
Does the Check Point 'cache' the logs if there is a network or splunk server issue?
Is there any loss in functionality if we can use the syslog as an intermediate step?
How does the 'splunk' format differ from the 'syslog' format?

Re: New Splunk App for Check Point Logs

Shay_Hibah — Wed, 19 Dec 2018 15:22:31 GMT

Hi,

Regarding your questions:

Yes, you can still use your central syslog server before shipping these logs to your Splunk server.
Make sure to choose format 'splunk' when exporting the logs out from your MGMT / Log Server.
In case of network issue, Log Exporter knows to deal with caching the logs. When the connection is available again, the logs will be sent.
No.
When choosing splunk as format in Log Exporter configuration, the logs will be sent in the format that our new application knows how to parse the data correctly. the format contains dedicated header, delimiters and etc.
Therefore, when working with our new app, the format must be splunk in order to get the data correctly into Splunk server.

Re: New Splunk App for Check Point Logs

Rudy_Hodges — Mon, 04 Mar 2019 03:57:22 GMT

Hi,

Has there been an RFE raised to export pcap files (packet capture) via Log Exporter to SIEMs - in my case Splunk?

I am referring to Packet Capture for Certain Protections in the IPS has been enabled.

Re: New Splunk App for Check Point Logs

Dan_Zada — Mon, 04 Mar 2019 07:55:58 GMT

Hi,

Yes, we have RFE for that and it will be released later this year.

We are going to implement that using management APIs, meaning the exporter will add additional field representing the blob ID, to every log. Using the management API you will be able to get the blob.

Stay tuned for more updates in SK122323.

Re: New Splunk App for Check Point Logs

Chris_Phillips — Thu, 21 Mar 2019 10:44:05 GMT

Will this also capture and report on Audit events like who created/deleted/modified what and who logged in etc?

Re: New Splunk App for Check Point Logs

DeletedUser — Fri, 22 Mar 2019 22:31:58 GMT

yes, answered earlier on CheckMates... in the targetconfiguration.xml file, there is a parameter called log_types like this:

<log_types></log_types>

The default is for both security logs and audit logs to be sent, but you can change this to only send one or the other.

Re: New Splunk App for Check Point Logs

et_splunker — Wed, 03 Jul 2019 15:33:02 GMT

Question on #3 - I am trying to pull health status related logs to Splunk. How do I do that?

Re: New Splunk App for Check Point Logs

Josh_Dillig — Fri, 13 Dec 2019 14:59:48 GMT

Are there plans to release a Splunk dashboard that would allow us to mimic SmartConsole's Log section? The Dashboard announced here is a good overview from Threat, but its not a good replacement for SmartConsole. We'd like something that we can search by IP and have them displayed in a useful manner.

Also in our environment we have found that sending the logs via method TCP creates problems (even after changing the thread count from the default of 12 to just 1) and have resorted to UDP only.

Re: New Splunk App for Check Point Logs

Dror_Aharony — Sun, 15 Dec 2019 09:27:11 GMT

I'm curious on the TCP problems:

Do you mean performance issues? Please elaborate on any log-exporter TCP related issues you had.

Re: New Splunk App for Check Point Logs

Josh_Dillig — Mon, 16 Dec 2019 18:32:52 GMT

We would see only 1 or 2 of the 12 threads establishing TCP sockets. We did have some CLMs that would complete all 12 sockets, but in general it was unstable. We never was able to determine conclusively that it was on the MLM side instead of the Splunk side. There is a TAC case opened (6-0001798729) on it along with a CFG task. There is a tcpdump in the SR, we saw SYN-ACKs coming back but never being ACK'd.

Re: New Splunk App for Check Point Logs

Datarockz — Fri, 10 Jan 2020 12:16:38 GMT

Hello everyone,

according to Splunkbase the app only supports Splunk 7.2.

Has anyone tried it out on 7.3+? Are there any known issues? Is an update planned to support the most current Splunk versions?

Cheers

topic *New* Splunk App for Check Point Logs in Firewall and Security Management

*New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

Re: *New* Splunk App for Check Point Logs

topic New Splunk App for Check Point Logs in Firewall and Security Management

New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs

Re: New Splunk App for Check Point Logs