Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

missing key field “action” in IPS raw log sent to Arcsight SIEM

Jump to solution

While reviewing the IPS raw log sent to Arcsight SIEM to identify a key field “action” that is available on the console, and required in the usecase to trigger a matching IPS incident is missing the key field “action”.

As we do not want to trigger an Incident/alert for threats that are already blocked (under action: Prevent, block, Redirect), the key field (“action”) highlighted in the attached screenshot is required. Can you tell me how we can address this blocking point?

 

 

0 Kudos
Reply
1 Solution

Accepted Solutions
Admin
Admin

You can see what fields we can send here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Log Exporter can be configured to filter specific logs as well: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
The configuration may need to be adjusted appropriately. 

View solution in original post

3 Replies
Admin
Admin

How precisely are you sending logs to Arcsight?

Contributor

Can you elaborate on "How precisely are you sending logs to Arcsight?"

We receive the logs thru syslog from the managers. The logs are formatted as CEF natively when sent to us. Here is a sanitized example

Sep 24 13:25:25 x.x.x.x  CEF:0|Check Point|SmartDefense|Check Point|IPS|Resource Records Enforcement|Very-High|cp_severity=Very-High cs2Label=Protection ID cs2=asm_dynamic_prop_dns_rr cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Resource Records Enforcement deviceDirection=0 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=Resource Records Enforcement - Excessive number of Resource Records detected in reply msg=DNS Enforcement Violation rt=1600953924000 loguid={0x8exxxxxx,0xefcxxxxx,0x7dfxxxxx,0xf3xxxxxx} origin=x.x.x.x originsicname=CN\=EXTERNAL,O\=hostname.domain.com.xxxxxxx sequencenum=370 version=5 description_url=dns_rr_help.html product=SmartDefense smartdefense_profile=xxxxxxxx_Recommended_Protection src=x.x.x.x

0 Kudos
Reply
Admin
Admin

You can see what fields we can send here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Log Exporter can be configured to filter specific logs as well: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
The configuration may need to be adjusted appropriately. 

View solution in original post