This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
loeunsokoeun
Explorer
‎2023-08-22 01:50 AM

Suspecting Checkpoint Smart Console forward duplicate log to SIEM

Dear Sir/madam,

 

We suspect smart console forward duplicate checkpoint log to SIEM and make SIEM rule fire offense to event which supposed to not be detected.  Anyone ever face this issue? 

These 2 Smart Defense logs lead SIEM to have 2 duplicate event names with different action (one is prevented, and another is N/A)

LEEF:2.0|Check Point|SmartDefense|1.0|Prevent|devTime=1692599762
LEEF:2.0|Check Point|SmartDefense|1.0|Check Point Log|devTime=1692599762

 

Warm regards,

Sokoeun

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2023-08-22 06:30 AM

The only "duplicate" logs we should send are for accounting logs, and they occur every 10 minutes until the connection is closed.
Otherwise, we should not send duplicate logs.
Have you correlated this with the actual logs in SmartView? 

0 Kudos
loeunsokoeun
Explorer
‎2023-08-22 07:34 PM
In response to PhoneBoy

On SmartView I can see there is only one log for the same period of time, but on SIEM there are 3 logs.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-23 12:15 PM
In response to loeunsokoeun

Can you provide a screenshot of the relevant log card (with sensitive details redacted)?
Depending on what the log is, it may very well be expected behavior, especially if the log you're seeing is correlated.

0 Kudos
loeunsokoeun
Explorer
‎2023-08-24 12:38 AM
In response to PhoneBoy

Hello @PhoneBoy , please kindly check the attached screenshots. This is example of smartdefense log. On SIEM they have the same category and event ID. And there are other log types that we are seeing duplicate on our SIEM too. 

 

 

Preview file
25 KB
Preview file
56 KB
0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-08-22 08:40 AM

Forwarding to SIEM is done by SMS/Log server, not smart console. I see one event as Prevent and the other as Log. What does SmartLog show ? How to select what is exported to SIEM is explained in https://support.checkpoint.com/results/sk/sk122323

CCSE CCTE CCSM SMB Specialist
0 Kudos
loeunsokoeun
Explorer
‎2023-08-22 07:37 PM
In response to G_W_Albrecht

On SmartView I can see there is only one log for the same period of time, but on SIEM there are 3 logs.

 

 

Preview file
17 KB
0 Kudos
Lloyd_Braun
Collaborator
‎2023-08-22 08:41 AM

Verify that you have your cp_log_export read-mode config set to semi-unified.  Though with that enabled we still get some 'parts' of log cards that come through as different events at the SIEM.

There is a pretty good explanation in the r81 log exporter loguid log field documentation: 

Log Unification ID.
Some Check Point logs are updated over time.
Updated logs have the same Log UID value.
Check Point SmartLog client correlates those updates into a single unified log.
When the update logs are sent to 3rd party servers, they arrive as distinct logs.
Administrators can use the "loguid" field to correlate updated logs and get the full event chain.

Note - Log Exporter's new semi-unified mode correlates all previous logs into one, so the latest log always shows the complete data.
Examples of updated logs:
-The total amount of bytes sent and received over time.
-The severity field which is updated over time as more information becomes available.

 

 

0 Kudos
Tomer_Noy
Employee
Employee
‎2023-08-22 11:04 PM
In response to Lloyd_Braun

This is correct.

Just to clarify a bit further:

The gateway sends logs to the log server as soon as it has any meaningful information to share. As more information is available on a connection or attack, the gateway will send additional "update logs" using the same luuid (which is the unique identifier for a log). 

This behavior is very common for Accounting information, since more traffic is passed and we want to update the log server on the latest statistics. However, it also happens for other types of information, for example when a security verdict isn't taken in the first millisecond of identifying an attack/connection. An initial log will be sent with available information, and another update log will be sent later with the action.

Our log server has logic to unify these log updates so that customers will "experience" these as a single log with the latest information. When we export data to SIEM, we have less control over the SIEM vendor, so the log updates may appear as duplicates. For some vendors (such as Splunk) we provide our own dashboards that handle these duplications.

If you export using "semi-unified" mode, then each log update will contain all the information accumulated so far. So if you only look at the latest log, you will see the accurate info to that point. It's also possible to export in "raw" mode, which will send the update log data as it's coming in and each log will have just some of the fields.

We are considering a roadmap development in which you can specify that you only want the "last" log when all information has been accumulated. The benefit is having just one log, which is simpler to handle in SIEM. The drawback is that long-lived connections will only be visible when they are closed. I'm curious to hear your feedback if this is a desired solution.

0 Kudos
loeunsokoeun
Explorer
‎2023-08-22 11:50 PM
In response to Lloyd_Braun

The current read-mode is semi-unified as I check the configuration. Is there any way to fix cp to not forward duplicate log to SIEM? I guess it is not only mentioned log above. Our SIEM vendor confirm that many same log are forwarded to SIEM by checking the tcpdump. 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events