Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanja_Rakic
Contributor

Endpoint management server and QRADAR

Hi,

My Endpoint management server is sending all the logs to the SIEM Qradar solution. There are too many logs sourcing from Endpoint Mgmt so I would like to optimize it. I don't want to see logs that are related to active directory scanning in siem logs, which happens too often. Is there any way to do it?

5 Replies
PhoneBoy
Admin
Admin

I assume you have configured QRadar using LEA, correct?
LEA, unfortunately, doesn't have any way to filter logs.
This is something we have with Log Exporter.
See: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-guide/m-p/9035#M968
I'm not sure if QRadar is yet compatible with Log Exporter.
0 Kudos
Sanja_Rakic
Contributor

Thanks for your reply and detailed information. Yes, LEA is used.

Maybe there is a way on the Endpoint Management server to configure it not to log certain events? In this way they will not be sent to some external log collector.

0 Kudos
DeletedUser
Not applicable

It can, but it has to be done by the LEA client, QRadar in this case via their implementation of the LEA API. Not an option as far as I know. Would be a question for QRadar.

Log Exporter gives you some control over filtering in the latest version (see the filtering section of the Log Exporter sk122323) and is a QRadar option

0 Kudos
Sanja_Rakic
Contributor

Thanks for your reply. 

My endpoint security management server is running version R80.20, and log filtering is not supported using Log exporter on that version. 

I am sending you example of the logs I see on the QRadar, but there is no log entry for similar events on the Smart Endpoint server. Anything that can be done?

<13>Jul 01 09:18:55 10.16.96.211 01Jul2019 09:18:55 audit/drop x.x.x.x product: Endpoint Security Console; src: ; s_port: ; dst: ; service: ; proto: ; rule: ;Additional Info: Scanner name: 'scanner_name'

Number of scanned objects: 12463

Containers: 6 [6 domains, 0 containers, 0 OUs]

Groups: 8

Users: 10762

Devices: 1687

;ObjectName: object_name;Operation: AD scan ended;Subject: Directory Scanner;has_accounting: 0;i/f_dir: inbound;i/f_name: ;is_first_for_luuid: 131072;logId: -1;log_sequence_num: 10;log_type: audit;log_version: 5;origin_sic_name: cn=some_name,o=some_name;

 

<13>Jul 01 09:18:55 10.16.96.211 01Jul2019 09:18:55 audit/drop x.x.x.x product: Endpoint Security Console; src: ; s_port: ; dst: ; service: ; proto: ; rule: ;Additional Info: USER 'username' (domain) has been updated successfully.;Administrator: domain_name;ObjectTable: User;ObjectType: User;Operation: Modify Object;Subject: Object Manipulation;Uid: ***************;has_accounting: 0;i/f_dir: inbound;i/f_name: ;is_first_for_luuid: 131072;logId: -1;log_sequence_num: 9;log_type: audit;log_version: 5;origin_sic_name: cn=some_name,o=some_name;

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus

We are working on merging the filtering capability to R80.20.

It will be available soon. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events