This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sanja_Rakic
Contributor
‎2019-06-26 03:17 AM

Endpoint management server and QRADAR

Hi,

My Endpoint management server is sending all the logs to the SIEM Qradar solution. There are too many logs sourcing from Endpoint Mgmt so I would like to optimize it. I don't want to see logs that are related to active directory scanning in siem logs, which happens too often. Is there any way to do it?

5 Replies
PhoneBoy
Admin
Admin
‎2019-06-26 09:07 PM

I assume you have configured QRadar using LEA, correct?
LEA, unfortunately, doesn't have any way to filter logs.
This is something we have with Log Exporter.
See: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-guide/m-p/9035#M968
I'm not sure if QRadar is yet compatible with Log Exporter.
0 Kudos
Sanja_Rakic
Contributor
‎2019-06-27 12:54 AM
In response to PhoneBoy

Thanks for your reply and detailed information. Yes, LEA is used.

Maybe there is a way on the Endpoint Management server to configure it not to log certain events? In this way they will not be sent to some external log collector.

0 Kudos
DeletedUser
Not applicable
‎2019-06-27 07:03 PM
In response to Sanja_Rakic

It can, but it has to be done by the LEA client, QRadar in this case via their implementation of the LEA API. Not an option as far as I know. Would be a question for QRadar.

Log Exporter gives you some control over filtering in the latest version (see the filtering section of the Log Exporter sk122323) and is a QRadar option

0 Kudos
Sanja_Rakic
Contributor
‎2019-07-01 01:56 AM
In response to DeletedUser

Thanks for your reply. 

My endpoint security management server is running version R80.20, and log filtering is not supported using Log exporter on that version. 

I am sending you example of the logs I see on the QRadar, but there is no log entry for similar events on the Smart Endpoint server. Anything that can be done?

<13>Jul 01 09:18:55 10.16.96.211 01Jul2019 09:18:55 audit/drop x.x.x.x product: Endpoint Security Console; src: ; s_port: ; dst: ; service: ; proto: ; rule: ;Additional Info: Scanner name: 'scanner_name'

Number of scanned objects: 12463

Containers: 6 [6 domains, 0 containers, 0 OUs]

Groups: 8

Users: 10762

Devices: 1687

;ObjectName: object_name;Operation: AD scan ended;Subject: Directory Scanner;has_accounting: 0;i/f_dir: inbound;i/f_name: ;is_first_for_luuid: 131072;logId: -1;log_sequence_num: 10;log_type: audit;log_version: 5;origin_sic_name: cn=some_name,o=some_name;

 

<13>Jul 01 09:18:55 10.16.96.211 01Jul2019 09:18:55 audit/drop x.x.x.x product: Endpoint Security Console; src: ; s_port: ; dst: ; service: ; proto: ; rule: ;Additional Info: USER 'username' (domain) has been updated successfully.;Administrator: domain_name;ObjectTable: User;ObjectType: User;Operation: Modify Object;Subject: Object Manipulation;Uid: ***************;has_accounting: 0;i/f_dir: inbound;i/f_name: ;is_first_for_luuid: 131072;logId: -1;log_sequence_num: 9;log_type: audit;log_version: 5;origin_sic_name: cn=some_name,o=some_name;

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2019-07-04 05:55 AM
In response to DeletedUser

We are working on merging the filtering capability to R80.20.

It will be available soon. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events