Please use this discussion as a guide to understand how Check Point syslog Log Exporter maps Check Point logs to the LEEF format. This discussion is based upon R80.30 and may change in future versions.
LEEF fields have their own names such as cat, devTime, url, etc. Check Point fields such as src and dst that already match a LEEF field name do not need to be mapped from a Check Point to a LEEF name so are not covered in this discussion.
Note: in this discussion we refer to the raw Check Point field value. Check Point may translate the raw field name to show a different display name in the user interface like Tracker in R77.30 or SmartConsole in R80.x.
LEEF Event Components, IBM Knowledge Center
The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. The LEEF format consists of the following components.
LEEF Header Mapping
The LEEF header is a required field and is composed of a pipe delimited (|) set of values that identifies Check Point events to QRadar.
Check Point fields are added to the header as specified in assign_order in the file $EXPORTERDIR/conf/LeefFormatDefinition.xml:
- first (use first added value - default)
- last (use last added value)
- join (join between values)
- init (set value once to header formatted string on init and do not generate per every log)
LEEF Format Header Definition Examples (note: a space is added between the “|” delimiter to make it easier to see the values).
- LEEF:Version | Vendor | Product | Version | Event ID |
- LEEF: 2.0 | Check Point | Log Update | 1.0 | Check Point Log |
LEEF Version: assign_order is set to init
LEEF: 2.0
Vendor: the assign_order is set to init
Check Point
Product: the assign_order is set to first
This default is Log Update, but may also be the value from the fields; product or productname.
Version: the assign_order is set to init
1.0
Event ID, the assign_order is set to init
The default is Check Point Log, but may also be the value from the fields protection_name, appi_name, action.
Event Attributes
The event attributes identify the payload information of the event in a set of key value pairs that provide detailed information about the security event. Each event attribute is separated by the tab delimiter character.
Examples
- key=value<tab>key=value<tab>key=value<tab>key=value<tab>
- src=192.0.2.0 dst=172.50.123.1 sev=5 cat=accept srcPort=81 dstPort=21 usrName=joe.black
Predefined LEEF Event Attributes, IBM Knowledge Center
The LEEF format contains a number of predefined name=value pairs event attributes, which allow QRadar to categorize and display the event. Log Exporter uses these keys when possible.
Custom Event Keys, IBM Knowledge Center
Vendors and partners have the option to define their own custom event keys and include them in the payload of the LEEF format.
Check Point events that do not fall into one of the pre-defined LEEF event attributes are non-normalized, which means they are not displayed by default on the Log Activity tab of QRadar. To view custom attributes and non-normalized events on the Log Activity tab of QRadar, you must create a custom event property. Non-normalized event data is still part of your LEEF event, is searchable in QRadar, and is viewable in the event payload.
Mapping of Check Point Fields to Pre-defined LEEF Event Attributes
The below is the Log Exporter LEEF Field Mapping from R80.30 from $EXPORTERDIR/conf/LeefFieldsMapping.xml where origName is the Check Point raw field name and dstName is the LEEF attribute sorted by the LEEF dstName field name.
Callback Functions
In the name column are example uses of the callback functions where the value is replace_value. This function swaps values based on a key:value chart. We use this to map the Check Point severity (and other fields) to known LEEF values.
origName
|
dstName
|
name
|
key
|
value
|
tableName
|
attack_information
|
attackInformation
|
|
|
|
|
attack_name
|
attackName
|
|
|
|
|
status
|
attackStatus
|
|
|
|
|
business_impact
|
businessImpact
|
|
|
|
|
action
|
cat
|
|
|
|
|
industry_reference
|
cve
|
|
|
|
|
resource
|
destinationDnsDomain
|
|
|
|
resource_table
|
time
|
devTime
|
|
|
|
|
client_dst
|
dst
|
|
|
|
|
ipv6_dst
|
dst
|
|
|
|
|
received_bytes
|
dstBytes
|
|
|
|
|
server_inbound_bytes
|
dstBytes
|
|
|
|
|
client_inbound_bytes
|
dstBytes
|
|
|
|
|
mac_destination_address
|
dstMAC
|
|
|
|
|
d_port
|
dstPort
|
|
|
|
|
destination_port
|
dstPort
|
|
|
|
|
xlatedst
|
dstPostNAT
|
|
|
|
|
xlatedport
|
dstPostNATPort
|
|
|
|
|
recipient-recipients
|
emailRecipient
|
|
|
|
|
from
|
emailSender
|
|
|
|
|
sender
|
emailSender
|
|
|
|
|
subject
|
emailSubject
|
|
|
|
|
supress_logs
|
eventsCoalesced
|
|
|
|
|
extracted_files
|
extractedFiles
|
|
|
|
|
extracted_file_types
|
extractedFileTypes
|
|
|
|
|
extracted_hash
|
extractedHash
|
|
|
|
|
file_MD5
|
fileHash
|
|
|
|
|
file_id
|
fileID
|
|
|
|
|
file_id
|
fileId
|
|
|
|
file_table
|
file_name
|
filename
|
|
|
|
|
file_size
|
fileSize
|
|
|
|
|
filetype
|
fileType
|
|
|
|
|
file_name
|
fname
|
|
|
|
aggregated_file_table
|
file_name
|
fname
|
|
|
|
file_table
|
file_size
|
fsize
|
|
|
|
file_table
|
OU_group
|
identGrpName
|
|
|
|
|
source_machine_name
|
identHostName
|
|
|
|
|
malware_family
|
malware
|
|
|
|
|
malware_activity
|
malwareActivity
|
|
|
|
|
packet_capture
|
pcap
|
|
|
|
|
performance_impact
|
performanceImpact
|
|
|
|
|
phone_number
|
phoneNumber
|
|
|
|
|
policy_name
|
policy
|
|
|
|
|
policy
|
policyName
|
|
|
|
|
profile
|
profileName
|
|
|
|
|
protocol
|
proto
|
|
|
|
|
remediated_files
|
remediatedFiles
|
|
|
|
|
app_risk
|
sev
|
replace_value
|
default
|
0
|
|
app_risk
|
sev
|
replace_value
|
0
|
0
|
|
app_risk
|
sev
|
replace_value
|
1
|
2
|
|
app_risk
|
sev
|
replace_value
|
2
|
4
|
|
app_risk
|
sev
|
replace_value
|
3
|
6
|
|
app_risk
|
sev
|
replace_value
|
4
|
8
|
|
app_risk
|
sev
|
replace_value
|
5
|
10
|
|
severity
|
sev
|
replace_value
|
default
|
0
|
|
severity
|
sev
|
replace_value
|
0
|
0
|
|
severity
|
sev
|
replace_value
|
1
|
2
|
|
severity
|
sev
|
replace_value
|
2
|
5
|
|
severity
|
sev
|
replace_value
|
3
|
8
|
|
severity
|
sev
|
replace_value
|
4
|
10
|
|
app_risk
|
sev
|
replace_value
|
default
|
Unknown
|
match_table
|
app_risk
|
sev
|
replace_value
|
0
|
Unknown
|
match_table
|
app_risk
|
sev
|
replace_value
|
1
|
Low
|
match_table
|
app_risk
|
sev
|
replace_value
|
2
|
Low
|
match_table
|
app_risk
|
sev
|
replace_value
|
3
|
Medium
|
match_table
|
app_risk
|
sev
|
replace_value
|
4
|
High
|
match_table
|
app_risk
|
sev
|
replace_value
|
5
|
Very-High
|
match_table
|
app_risk
|
sev
|
replace_value
|
default
|
Unknown
|
primary_application
|
app_risk
|
sev
|
replace_value
|
0
|
Unknown
|
primary_application
|
app_risk
|
sev
|
replace_value
|
1
|
Low
|
primary_application
|
app_risk
|
sev
|
replace_value
|
2
|
Low
|
primary_application
|
app_risk
|
sev
|
replace_value
|
3
|
Medium
|
primary_application
|
app_risk
|
sev
|
replace_value
|
4
|
High
|
primary_application
|
app_risk
|
sev
|
replace_value
|
5
|
Very-High
|
primary_application
|
sha1
|
sha1
|
|
|
|
|
sha256
|
sha256
|
|
|
|
|
protection_name
|
signature
|
|
|
|
|
client_ip
|
src
|
|
|
|
|
ipv6_src
|
src
|
|
|
|
|
sent_bytes
|
srcBytes
|
|
|
|
|
server_outbound_bytes
|
srcBytes
|
|
|
|
|
client_outbound_bytes
|
srcBytes
|
|
|
|
|
imsi
|
srcMAC
|
|
|
|
|
mac_source_address
|
srcMAC
|
|
|
|
|
s_port
|
srcPort
|
|
|
|
|
xlatesrc
|
srcPostNAT
|
|
|
|
|
xlatesport
|
srcPostNATPort
|
|
|
|
|
proxy_source_ip
|
srcProxyIP
|
|
|
|
|
suspicious_events
|
suspiciousEvents
|
|
|
|
|
destination_dns_hostname
|
url
|
|
|
|
|
resource
|
url
|
|
|
|
|
orig_from
|
usrName
|
|
|
|
|
user
|
usrName
|
|
|
|
|