This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FGBrollo
Explorer
‎2021-06-25 08:16 AM
Jump to solution

MDS/SMS User login string from SID

Hello everyone,

I was wondering if there is a way to get the user login from an API SID (x-chkp-sid) ?

The format of the SID in the api.elg file does not file the "ID" field of the Audit Log:

SID.png

Does any of you knows where I could find the link between an SID and a user login ?

Any help would be appreciated.

 
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-06-25 02:40 PM
In response to FGBrollo
Jump to solution

I'm guessing this is because SIDs are ephemeral and used only while the session is active.
And looking at the API more closely, the API only supports looking up by session UID (different from the SID).
You can look up the session by the session UID, which is listed in the log card for the Log Out entry.

Curious: given the ephemeral nature of SIDs, why is lookup by SID interesting?

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-06-25 08:27 AM
Jump to solution

The session ID is generated as a result of a login action, meaning it's unique for that session for that user.
If you want to see who is associated with a given session, use the show-session API call.

FGBrollo
Explorer
‎2021-06-25 08:49 AM
In response to PhoneBoy
Jump to solution

Thank you for the quick reply.

I just checked the API Documentation for show-session (https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/show-session~v1.1%20)

I does not state if this would show me the details of a previous (logged out) session ?
Do you know if this is the case ?

[Edit:] A quick test show me the reply:
"Invalid parameter for [uid]. The invalid value: [00000000000000000000000000000]"

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-25 02:40 PM
In response to FGBrollo
Jump to solution

I'm guessing this is because SIDs are ephemeral and used only while the session is active.
And looking at the API more closely, the API only supports looking up by session UID (different from the SID).
You can look up the session by the session UID, which is listed in the log card for the Log Out entry.

Curious: given the ephemeral nature of SIDs, why is lookup by SID interesting?

0 Kudos
FGBrollo
Explorer
‎2021-06-28 12:23 AM
In response to PhoneBoy
Jump to solution

Thank you for the pointers.
I've been looking up by SID because that's what is showing in the API logs.

We got a lot of admin accounts, some tools like algosec and a few scripts doing regular query on the API.

It would have been neat for me to have a way to identify user activity directly from the api.elg file in order for me to contact a software admin, a user, or a team in charge of a script/software in order to show them ways to improve their workflow (eg: too many calls on a short period of time, unescessary non-filtered requests, wrong timing because it's telescoping with another script etc...)

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-28 12:52 PM
In response to FGBrollo
Jump to solution

@Omer_Kleinstern maybe we can add more information to api.elg for troubleshooting?

0 Kudos
Omer_Kleinstern
Employee
Employee
‎2021-06-28 11:43 PM
In response to PhoneBoy
Jump to solution

Hi @FGBrollo ,

 

You can add a user agent header in the API calls to identify user activity in API logs (--user-agent in mgmt_cli).

 

Algosec will add a user agent header to their API calls in their next version.

 

Thanks,

Omer 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top