Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AngeloP
Participant

CheckPoint IPS blade logs to Qradar

Hello,

 

we started sending logs from CheckPoint FW to our SIEM, there seems to be a problem with logs from the IPS Blade, specifically with prevented events by Smart Defense, the logs seem to lack the "Attack Name"/"protection name" field when the action is "Prevent", therefore we can't see which signature worked. This field seems to be present in logs of events where the action is "Reject" or "Drop" for example.

 

SmartDefense Unknown:

(redacted) - [action:"Reject"; flags:"409600"; ifdir:"inbound"; ifname:"[..]"; loguid:"[..]"; origin:"[..]"; originsicname:"[..]"; sequencenum:"120"; time:"[..]"; version:"5"; __policy_id_tag:"[..]"; attack:"Microsoft Windows NT Null CIFS Sessions"; attack_info:"Blocked Null CIFS Session attempt"; confidence_level:"4"; dst:"[..]"; industry_reference:"CVE-2000-1200"; performance_impact:"2"; product:"SmartDefense"; protection_id:"asm_cifs_block_null_sessions"; protection_name:"Microsoft Windows NT Null CIFS Sessions"; protection_type:"anomaly"; proto:"6"; rule:"7"; rule_name:"Discovery scan"; rule_uid:"c55f111a-3121-4412-9af7-0b43e99c4807"; s_port:"[..]"; service:"[..]"; severity:"2"; sgm_id:"[..]"; smartdefense_profile:"[..]"; src:"[..]"; sub_policy_name:"[..]"; sub_policy_uid:"[..]"]


SmartDefense Prevent:

(redacted) - [action:"Prevent"; flags:"313600"; ifdir:"outbound"; ifname:"[..]"; loguid:"{[...]"; origin:"[..]"; originsicname:"[...]"; sequencenum:"58"; time:"[..]"; version:"5"; __policy_id_tag:"product=[..]"; dst:"[..]"; log_id:"2"; malware_rule_id:"{710D7BDC-5306-4122-ACAC-B2BAF771A620}"; method:"POST"; policy:"[..]"; policy_time:"[..]"; product:"SmartDefense"; proto:"6"; reject_id_kid:"[..]"; resource:"[..]"; rule_name:"[..]"; rule_uid:"[..]"; s_port:"[..]"; ser_agent_kid:"Other: Hello, World"; service:"80"; session_id:"[..]"; sgm_id:"[..]"; smartdefense_profile:"[..]"; src:"[..]"; layer_uuid:"[..]"; malware_rule_id:"[..]"; smartdefense_profile:"[..]"]

 

as you can see in the first case there's a lot more info, like attack, attack_info, protection_name and rule_name. Also in the first case it is categorized in Qradar as Unknown "SmartDefense Event", while in the second case the Event name is "SmartDefense Prevent". Does anyone know what can be done to fix this and for all events from the IPS Blade to have Protection_Name and attack info?

 

Also, another Question, are all events from IPS Blade Smart Defense events, or should you include explicitly another type of event in the log exporter? It seems to lack some event, while adding some events that are not from the IPS blade.

0 Kudos
3 Replies
_Val_
Admin
Admin

I am not sure if this question does belong here. More likely, you need to check with Qradar about parsing Check Point logs. 

0 Kudos
AngeloP
Participant

Hi,

 

thanks for the reply, but you can't really parse in any SIEM information that isn't there, as in its not sent by the source device. As you can see, the second log lacks the protection_name and attack_name fields, which are the most important fields really. If the company advertises that its device has IPS capabilities, it should at least generate proper logs for it. 

Is there information or a template somewhere on how the logs from the IPS blade should look like? Does anyone has experience with sending logs from checkpoint to Qradar? As in, which format is recommended, syslog, leef or cef. Lack of info in the logs is a source device problem obviously.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

You never said where the outputs above came from?

Seem like LEEF according to the Qradar documentation.

https://www.ibm.com/docs/en/qsip/7.4?topic=configuration-check-point#c_dsm_guide_checkpoint_intro

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events