This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lmediavilla
Explorer
‎2024-03-02 11:10 AM

Cef forwarding missing IPS fields

Hello,

I have an MDS setup with and MLM applicance. I have a problem in the IPs logs when I forward them using CEF format.
I have the standard file "CefFieldsMapping.xml" under "/opt/CPrt-R81.10/log_exporter/conf"

When I get an event that shows on Sentinel with DeviceProduct as SmartDefense  and DeviceEventClassID as IPS I don't get any information from Forensics detail or Advanced Forensics detail.

I get other fields like the Ip addresses CVE action source system... but no forensic information.

 

Is there a possibility to forward that missing part of the logs?

 

Kind regards.

Labels
0 Kudos
2 Replies
Amir_Senn
Employee
Employee
‎2024-03-05 01:01 AM

Thoughts and questions:

a. Same results for raw and semi-unified?

b. Other formats work well or you haven't tried?

c. Mostly under forensics we have pcap and sometimes other information changing from protection to protection. For pcap we have a special flag that adds link to open pcap via SmartView. You can find it and other optional flag in Log Exporter SK under Advanced Deployment - Additional Commands - Parameters.

Hope this at least help in some part.

Kind regards, Amir Senn
0 Kudos
lmediavilla
Explorer
‎2024-03-11 07:30 AM
In response to Amir_Senn

Hello,

same result changing emi-unified to raw format

same result in syslog format.

The IPS does not have the forensic fields and the action.

I can add the link to the smartview but that is not what I want. I want the log exported so another tool can check it automatically.

Kind regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events