- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello,
I am trying out importing Windows Events log into Check Point Management server. Logs are going in without problem, using WinEventToCPLog agent, however I want to map fields from Win Event to Check Point field. I've followed How to map Windows Events fields to Check Point log fields however, I was only successful mapping fields with value from debug after '%' sign.
Here is my map field configuration:
# User Login Successful Mapping
(
: ("Microsoft-Windows-Security-Auditing:4624"
: (%6
:field_name ("User")
:field_type ()
)
: ("Win Message"
:field_name ("Description")
:field_type ()
)
)
# User initiated logoff
: ("Microsoft-Windows-Security-Auditing:4647"
: (%2
:field_name ("User")
:field_type ()
)
: ("Win Message"
:field_name ("Description")
:field_type ()
)
)
# An account was logged off
: ("Microsoft-Windows-Security-Auditing:4634"
: (%2
:field_name ("User")
:field_type ()
)
: ("Win Message"
:field_name ("Description")
:field_type ()
)
)
# User Login Failure Mapping
: ("Microsoft-Windows-Security-Auditing:4625"
: (%6
:field_name ("User")
:field_type ()
)
: ("Win Message"
:field_name ("Description")
:field_type ()
)
)
)
Here is a screen from management server
Details of log message:
User was sucessfully mapped, however Win Message is not. What should I write to mapping file to have Win Message in Description? Or other fields, such as EventID would be nice too.
Thanks.
You have an empty vaule in the field_type() call. That should be string.
For example:
(
: ("Microsoft-Windows-Security-Auditing:4624"
: (%6
:field_name (User)
:field_type (string)
) )
)
Hi,
from the comments at the top of configuration, it is said that field_type () is by default string. I can see it worked for User field (as I can see that mapped in log), problem is when I try to map fields that don't start with '%{number}'. To be sure, I've added string field type everywhere, but nothing have changed.
Here is example from debug when starting WinEventToCPLog.exe -d (windowEvent0.log) to find the field names to map:
---------------------------------------------------------------------------
Reading internal event number: 23725
Wed Sep 27 07:34:34 2017
Security
EventID: 4624
EventTime: 4624
%1 = S-1-0-0
%2 = -
%3 = -
%4 = 0x0
%5 = S-1-5-21-2211272001-3120902545-1089152063-500
%6 = Administrator
%7 = NILFISK-LAB-ADM
%8 = 0x70ba991
%9 = 3
%10 = NtLmSsp
%11 = NTLM
%12 = PRGNTBLN02
%13 = {00000000-0000-0000-0000-000000000000}
%14 = -
%15 = NTLM V2
%16 = 128
%17 = 0x0
%18 = -
%19 = -
%20 = -
%21 = %%1833
Win Message(string): An account was successfully logged on.
Security ID(string): S-1-0-0
Account Name(string): -
Account Domain(string): -
Logon ID(string): 0x0
Logon Type(string): 3
Impersonation Level(string):
Security ID1(string): S-1-5-21-2211272001-3120902545-1089152063-500
User(string): Administrator
Account Domain1(string): NILFISK-LAB-ADM
Logon ID1(string): 0x70ba991
Logon GUID(string): {00000000-0000-0000-0000-000000000000}
Process ID(string): 0x0
Process Name(string): -
Workstation Name(string): PRGNTBLN02
Source Network Address(string): -
Source Port(string): -
Logon Process(string): NtLmSsp
Authentication Package(string): NTLM
Transited Services(string): -
Package Name (NTLM only)(string): NTLM V2
Key Length(string): 128
Product(string): Windows OS
Event Source File(string): Security
Application(string): Microsoft-Windows-Security-Auditing
__orig(ipaddr): 10.8.86.20
Computer(string): Nilfisk-LAB-ADMIN
Event Type(string): Success Audit
So I can't map field on line 28 to Check Point log, it only shows in More section when I open the log.
You can only Map %1 up to %21 to LEA field names.
According to the Debug work you have done this for the User field because it contains the value from %2.
Which other fields from the numbered fields might be usefull?
According to the file comments the default is string;
"
# For example,
# : (Security # Event source
# : ("User Name" # Microsoft Event field name, quotes are necessary for space in the name
# :field_name (User) # Check Point log server field name
# :field_type () # Check Point log server Field type (default is string)"
Are you saying that it must be defined explicitly?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY