This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Johan_van_Somme
Explorer
‎2024-09-10 12:03 AM

Events from SmartEvent to SIEM

Hi All,

Yes I know, Check Point is working or doing a survey on how to forward events to 3rd party SIEM tools.

However we can't wait this long, currently we filter the logs using the logforwarder to our SIEM (using Syslog), however data ingest is reasonable.

Furthermore, our deployement consists of a reasonable amount of Quantum Gateways which forwards those logs to our SmartEvent server within an MDS system. So integration with Smart-1 Cloud is an feasible option right now.

We could however forward the logs only to the Smart-1 Cloud, but we're unsure if we can create a link to our SIEM solution. Does anyone created a solution to forward events and alerts only from an mostly onprem environment to a 3rd party SIEM. 

Other then forwarding the raw syslogs into the 3rd party SIEM datalake and do the filtering right there.

btw we do some filtering on the SmartEvent logforwarder also, however this is pretty cumbersome.

 

Hope anyone can help, thanks for the assistance in advance.

Greetz, Johan

 

0 Kudos
5 Replies
AkosBakos
Mentor Mentor
Mentor
‎2024-09-10 12:14 AM

Hi @Johan_van_Somme 

The cp_log_export solution is not suitable for this?

https://support.checkpoint.com/results/sk/sk122323

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Johan_van_Somme
Explorer
‎2024-09-10 12:32 AM
In response to AkosBakos

Thanks AkosBakos,

Thanks for the quick reply, we've already using the log_forwarder currently and doing a lot of filtering in the log_forwarder configuration already. However this doesn't bring us to the bare necessity just yet. What we're trying to achieve is not raw logs into the SIEM, but only actionable alerts and events to our 3rd party SIEM. And keep intelligence in Check Point and only forward actionable events to the SIEM with metadata on the alert. So we've have some correlation on events. 
Otherwise the data ingest from our gateways will increase the cost of hot storage on our SIEM considerably. 
Hope anyone else has some more insight on how to accomplish this.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-10 07:08 AM

As far as I know, only raw logs can be forwarded to an external SIEM.
The correlations made in SmartEvent are not forwarded.
This is most likely an RFE that should be discussed with your local Check Point office.

0 Kudos
Johan_van_Somme
Explorer
‎2024-09-10 07:13 AM
In response to PhoneBoy

Hi Dameon,

Thanks for your input, we're talking to our local SE and CP AM already about this use case. And already issued a RFE to R&D on this topic. 
I could imagine that this use case is of an issue with other customers, so hopefully this can be addressed somehow.

For now keep me posted

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-10 10:40 AM
In response to Johan_van_Somme

At a high level, I'm curious how these would be communicated to the SIEM...beyond just sending the logs relevant to what was correlated.
This is where understanding the necessary use case(s) is key.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top