Cef forwarding missing IPS fields

lmediavilla · ‎2024-03-02

Hello,

I have an MDS setup with and MLM applicance. I have a problem in the IPs logs when I forward them using CEF format.
I have the standard file "CefFieldsMapping.xml" under "/opt/CPrt-R81.10/log_exporter/conf"

When I get an event that shows on Sentinel with DeviceProduct as SmartDefense and DeviceEventClassID as IPS I don't get any information from Forensics detail or Advanced Forensics detail.

I get other fields like the Ip addresses CVE action source system... but no forensic information.

Is there a possibility to forward that missing part of the logs?

Kind regards.

Amir_Senn · ‎2024-03-05

Thoughts and questions:

a. Same results for raw and semi-unified?

b. Other formats work well or you haven't tried?

c. Mostly under forensics we have pcap and sometimes other information changing from protection to protection. For pcap we have a special flag that adds link to open pcap via SmartView. You can find it and other optional flag in Log Exporter SK under Advanced Deployment - Additional Commands - Parameters.

Hope this at least help in some part.

Kind regards, Amir Senn

lmediavilla · ‎2024-03-11

Hello,

same result changing emi-unified to raw format

same result in syslog format.

The IPS does not have the forensic fields and the action.

I can add the link to the smartview but that is not what I want. I want the log exported so another tool can check it automatically.

Kind regards.

Are you a member of CheckMates?

Cef forwarding missing IPS fields