This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
leonarit
Contributor
‎2023-09-25 09:33 AM
Jump to solution

Custom report from specific traffic logs

I would like your help to help me finding the best solution for following use case.

I need to be able to generate a view/report whenever certain traffic is detected in the logs that contains traffic from/to a specific list of IPs, this IP list is dynamically updated.

My first approach was using an external list (Generic Data Center Object/External Lists(R81.20)) + Access rule to match the relevant traffic and use the Rule UUID to create and event with SmartEvent and with this I was able to create Views/Reports based on the correlated events, but unfortunately, I’m not allowed to change the rule base(Add/Modify Access rules), so I can only work with the current rules and available logs. I could try to create a custom event in SmartvEent with the IPs from the Dynamic IP List, but I don’t have any automated option to automatically updated the feed of IPs for the custom event, afaik SmartEvent doesn’t have an API.

The next approach was trying to use the IOC Feeds with the AV/AB blades, but this only matches some traffic(HTTP,SMB,FTP), ICMP traffic or other ports don’t get matched by this method.

Another approach that I’m thinking of, is trying to use the mgmt API(show logs) and try to create some sort of script that could make a custom query based on the dynamic IP list and then export the results in a “nice view” to email or other transport.

Does anyone know some “elegant” idea to accomplish this using only Checkpoint GUI methods(SmartEvent(Views/Reports) or other)?

Regards.

0 Kudos
1 Solution

Accepted Solutions
leonarit
Contributor
‎2023-10-27 02:31 AM
Jump to solution

I would like to correct my initial post, I guess I was wrong about the IOC Feeds, I've done some additional tests and the Anti-Virus Blade was able to do dns, ip and domain reputation checks based on the IOC feeds for all traffic and now I'm able to generate the reports based on this events.

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-09-25 10:41 AM
Jump to solution

SmartEvent currently does not have an API.
But...couldn't you create an object based on that dynamic IP list and (always) use that object in SmartEvent?

leonarit
Contributor
‎2023-09-25 11:56 AM
In response to PhoneBoy
Jump to solution

Thanks for the tip, I've already tried that but SmartEvent only supports/syncs "static" object types.

I've also reviewed all the JHF from R81.10 and R81.20 and doesn't seem that SmartEvent will support dynamic objects.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-09-25 12:01 PM
In response to leonarit
Jump to solution

You are right, I even created dedicated SE server R81.20 in the lab and does not support dynamic objects.

Andy

Best,
Andy
"Have a great day and if its not, change it"
leonarit
Contributor
‎2023-09-25 12:04 PM
In response to the_rock
Jump to solution

Thanks for the effort/help!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-09-25 12:07 PM
In response to leonarit
Jump to solution

You are welcome...it even had latest jumbo, but no difference

[Expert@SMART-EVENT-SERVER:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000234 for GAIA
[FW1]
HOTFIX_NGM_DOCTOR_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 26
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R81.20 - Build 005
This is Check Point's software version R81.20 - Build 012

[Expert@SMART-EVENT-SERVER:0]#

 

Please select the installation you would like to update
1) SmartReporter. (disabled, select to enable)
2) SmartEvent Server. (enabled, select to disable)
3) SmartEvent Correlation Unit. (enabled, select to disable)
4) SmartEvent Intro. (disabled, select to enable)
5) SmartEvent Intro Correlation Unit. (enabled, select to disable)

6) Save and exit.
7) Exit without saving.

 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-25 02:16 PM
In response to leonarit
Jump to solution

You would have to create a static object based on the dynamic list, yes.
Dynamic objects are not resolved on management (where SmartEvent runs).

0 Kudos
leonarit
Contributor
‎2023-10-27 02:31 AM
Jump to solution

I would like to correct my initial post, I guess I was wrong about the IOC Feeds, I've done some additional tests and the Anti-Virus Blade was able to do dns, ip and domain reputation checks based on the IOC feeds for all traffic and now I'm able to generate the reports based on this events.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events