Solved: Custom report from specific traffic logs

leonarit · ‎2023-09-25

I would like your help to help me finding the best solution for following use case.

I need to be able to generate a view/report whenever certain traffic is detected in the logs that contains traffic from/to a specific list of IPs, this IP list is dynamically updated.

My first approach was using an external list (Generic Data Center Object/External Lists(R81.20)) + Access rule to match the relevant traffic and use the Rule UUID to create and event with SmartEvent and with this I was able to create Views/Reports based on the correlated events, but unfortunately, I’m not allowed to change the rule base(Add/Modify Access rules), so I can only work with the current rules and available logs. I could try to create a custom event in SmartvEent with the IPs from the Dynamic IP List, but I don’t have any automated option to automatically updated the feed of IPs for the custom event, afaik SmartEvent doesn’t have an API.

The next approach was trying to use the IOC Feeds with the AV/AB blades, but this only matches some traffic(HTTP,SMB,FTP), ICMP traffic or other ports don’t get matched by this method.

Another approach that I’m thinking of, is trying to use the mgmt API(show logs) and try to create some sort of script that could make a custom query based on the dynamic IP list and then export the results in a “nice view” to email or other transport.

Does anyone know some “elegant” idea to accomplish this using only Checkpoint GUI methods(SmartEvent(Views/Reports) or other)?

Regards.

leonarit · ‎2023-10-27

I would like to correct my initial post, I guess I was wrong about the IOC Feeds, I've done some additional tests and the Anti-Virus Blade was able to do dns, ip and domain reputation checks based on the IOC feeds for all traffic and now I'm able to generate the reports based on this events.

View solution in original post

PhoneBoy · ‎2023-09-25

SmartEvent currently does not have an API.
But...couldn't you create an object based on that dynamic IP list and (always) use that object in SmartEvent?

leonarit · ‎2023-09-25

Thanks for the tip, I've already tried that but SmartEvent only supports/syncs "static" object types.

I've also reviewed all the JHF from R81.10 and R81.20 and doesn't seem that SmartEvent will support dynamic objects.

the_rock · ‎2023-09-25

You are right, I even created dedicated SE server R81.20 in the lab and does not support dynamic objects.

Andy

leonarit · ‎2023-09-25

Thanks for the effort/help!

the_rock · ‎2023-09-25

You are welcome...it even had latest jumbo, but no difference

[Expert@SMART-EVENT-SERVER:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000234 for GAIA
[FW1]
HOTFIX_NGM_DOCTOR_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 26
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R81.20 - Build 005
This is Check Point's software version R81.20 - Build 012

[Expert@SMART-EVENT-SERVER:0]#

Please select the installation you would like to update
1) SmartReporter. (disabled, select to enable)
2) SmartEvent Server. (enabled, select to disable)
3) SmartEvent Correlation Unit. (enabled, select to disable)
4) SmartEvent Intro. (disabled, select to enable)
5) SmartEvent Intro Correlation Unit. (enabled, select to disable)

6) Save and exit.
7) Exit without saving.

PhoneBoy · ‎2023-09-25

You would have to create a static object based on the dynamic list, yes.
Dynamic objects are not resolved on management (where SmartEvent runs).

leonarit · ‎2023-10-27

I would like to correct my initial post, I guess I was wrong about the IOC Feeds, I've done some additional tests and the Anti-Virus Blade was able to do dns, ip and domain reputation checks based on the IOC feeds for all traffic and now I'm able to generate the reports based on this events.

Are you a member of CheckMates?

Custom report from specific traffic logs