This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gm446
Contributor
‎2024-02-05 02:34 AM

process_name log field

Hello Everyone,

As part of implementing SIEM solution in our organization i got a request from the CISO to log from the endpoint what process generates traffic.
i can see in sk144192 that there is a "process_name" field under "Harmony Endpoint - Common Fields".

unfortunately, i cannot find this field in actual logs for firewall, TP, Anti-Malware or Anti-Bot blades. is there anything specific i should enable for the client to log this information?

Best Regards,
Yossi.

0 Kudos
11 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-02-05 04:07 AM

Hey Yossi,

Let me check this in the lab later.

Best,

Andy

Best,
Andy
the_rock
MVP Platinum
MVP Platinum
‎2024-02-05 05:41 AM

Sorry, just working on some Azure stuff now, but have you tried below query to see if it yields anything?

Andy

blade:"Endpoint Compliance"

Best,
Andy
0 Kudos
gm446
Contributor
‎2024-02-05 05:47 AM
In response to the_rock

this query is works of course, but i cannot see how it is related to my issue 🙂

Thank you.

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-05 05:52 AM
In response to gm446

No no, I get that, I was just curious if it worked or not. I will check again in a bit, but you may want to open the support case in the meantime to confirm.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-05 01:25 PM

process_name refers to the (potentially) malicious process that is being blocked, not the blade that blocked it.
Based on this SK, it would seem we don't log which blade is responsible for the block, though it can be inferred from the other fields included.

0 Kudos
gm446
Contributor
‎2024-02-05 11:58 PM
In response to PhoneBoy

Hi PhoneBoy,

this is exactly the information i need, the process who is made the traffic and being blocked/allow.

Best Regards,
Yossi.

the_rock
MVP Platinum
MVP Platinum
‎2024-02-06 04:04 AM
In response to gm446

Did you end up opening TAC case to see if you can verify that info, if its possible?

Best,

Andy

Best,
Andy
PhoneBoy
Admin
Admin
‎2024-02-06 11:16 AM
In response to gm446

The only place it would show...when it is relevant...is in the full log card.
In any case, you may need to consult with TAC here: https://help.checkpoint.com 

gm446
Contributor
‎2024-02-07 03:12 AM
In response to PhoneBoy

Thank you all, i opened a ticket and wait for an answer.

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-07 04:22 AM
In response to gm446

Let us know what they say.

Best,

Andy

Best,
Andy
0 Kudos
gm446
Contributor
‎2024-04-03 03:51 AM
In response to the_rock

After TAC investigation my request is not possible. so we achieve this logs through Sysmon.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events