Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Johan_van_Somme
Explorer

Events from SmartEvent to SIEM

Hi All,

Yes I know, Check Point is working or doing a survey on how to forward events to 3rd party SIEM tools.

However we can't wait this long, currently we filter the logs using the logforwarder to our SIEM (using Syslog), however data ingest is reasonable.

Furthermore, our deployement consists of a reasonable amount of Quantum Gateways which forwards those logs to our SmartEvent server within an MDS system. So integration with Smart-1 Cloud is an feasible option right now.

We could however forward the logs only to the Smart-1 Cloud, but we're unsure if we can create a link to our SIEM solution. Does anyone created a solution to forward events and alerts only from an mostly onprem environment to a 3rd party SIEM. 

Other then forwarding the raw syslogs into the 3rd party SIEM datalake and do the filtering right there.

btw we do some filtering on the SmartEvent logforwarder also, however this is pretty cumbersome.

 

Hope anyone can help, thanks for the assistance in advance.

Greetz, Johan

 

0 Kudos
5 Replies
AkosBakos
Advisor
Advisor

Hi @Johan_van_Somme 

The cp_log_export solution is not suitable for this?

https://support.checkpoint.com/results/sk/sk122323

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Johan_van_Somme
Explorer

Thanks AkosBakos,

Thanks for the quick reply, we've already using the log_forwarder currently and doing a lot of filtering in the log_forwarder configuration already. However this doesn't bring us to the bare necessity just yet. What we're trying to achieve is not raw logs into the SIEM, but only actionable alerts and events to our 3rd party SIEM. And keep intelligence in Check Point and only forward actionable events to the SIEM with metadata on the alert. So we've have some correlation on events. 
Otherwise the data ingest from our gateways will increase the cost of hot storage on our SIEM considerably. 
Hope anyone else has some more insight on how to accomplish this.

0 Kudos
PhoneBoy
Admin
Admin

As far as I know, only raw logs can be forwarded to an external SIEM.
The correlations made in SmartEvent are not forwarded.
This is most likely an RFE that should be discussed with your local Check Point office.

0 Kudos
Johan_van_Somme
Explorer

Hi Dameon,

Thanks for your input, we're talking to our local SE and CP AM already about this use case. And already issued a RFE to R&D on this topic. 
I could imagine that this use case is of an issue with other customers, so hopefully this can be addressed somehow.

For now keep me posted

 

0 Kudos
PhoneBoy
Admin
Admin

At a high level, I'm curious how these would be communicated to the SIEM...beyond just sending the logs relevant to what was correlated.
This is where understanding the necessary use case(s) is key.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events