Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
gm446
Contributor

process_name log field

Hello Everyone,

As part of implementing SIEM solution in our organization i got a request from the CISO to log from the endpoint what process generates traffic.
i can see in sk144192 that there is a "process_name" field under "Harmony Endpoint - Common Fields".

unfortunately, i cannot find this field in actual logs for firewall, TP, Anti-Malware or Anti-Bot blades. is there anything specific i should enable for the client to log this information?

Best Regards,
Yossi.

0 Kudos
11 Replies
the_rock
Legend
Legend

Hey Yossi,

Let me check this in the lab later.

Best,

Andy

the_rock
Legend
Legend

Sorry, just working on some Azure stuff now, but have you tried below query to see if it yields anything?

Andy

blade:"Endpoint Compliance"

0 Kudos
gm446
Contributor

this query is works of course, but i cannot see how it is related to my issue 🙂

Thank you.

 

0 Kudos
the_rock
Legend
Legend

No no, I get that, I was just curious if it worked or not. I will check again in a bit, but you may want to open the support case in the meantime to confirm.

Andy

0 Kudos
PhoneBoy
Admin
Admin

process_name refers to the (potentially) malicious process that is being blocked, not the blade that blocked it.
Based on this SK, it would seem we don't log which blade is responsible for the block, though it can be inferred from the other fields included.

0 Kudos
gm446
Contributor

Hi PhoneBoy,

this is exactly the information i need, the process who is made the traffic and being blocked/allow.

Best Regards,
Yossi.

the_rock
Legend
Legend

Did you end up opening TAC case to see if you can verify that info, if its possible?

Best,

Andy

PhoneBoy
Admin
Admin

The only place it would show...when it is relevant...is in the full log card.
In any case, you may need to consult with TAC here: https://help.checkpoint.com 

gm446
Contributor

Thank you all, i opened a ticket and wait for an answer.

 

0 Kudos
the_rock
Legend
Legend

Let us know what they say.

Best,

Andy

0 Kudos
gm446
Contributor

After TAC investigation my request is not possible. so we achieve this logs through Sysmon.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events