Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sandman
Explorer

Exporting logs from custom threat intelligence

Hi there,

I am configuring the importing of custom threat intelligence feeds into the R80.40 checkpoint security gateway. 

I am trying to configure exporting of specific events to a external syslog server.

If an IOC from from custom threat intelligence feed is seen, I would like the associated event/log sent for this indicator sent to an external syslog server/collector. 

I understand it is possible to send filtered logs to an external syslog server, however I am unsure of the ids/identifiers for the custom threat intelligence feed logs to filter on. 

Does anyone know how to do this?

Cheers,

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

How precisely are you importing the IoCs?
In any case, IoCs are blocked with either Anti-Virus or Anti-Bot.

0 Kudos
sandman
Explorer

Hi there PhoneBoy,

Unsure what you mean by "How precisely". I am using multiple custom intelligence "ioc_feeds add" commands to pull different IOC types via an API through https from one threat intelligence provider. The organisation who provides the feeds requires reporting on what IOCs from their feed are seen by the checkpoint.

Is it possible to send logs (from Anti-virus/Anti-bot blades?) to an external syslog server relating to the custom ioc feed IOCSs being seen?

0 Kudos
PhoneBoy
Admin
Admin

You can also define IoCs via the management APIs, which is different than importing them via ioc_feeds.

Each indicator should have a unique name associated with it.
Offhand, I don't remember exactly what field it shows up in.
@TP_Master do you happen to know?

I would think you could filter based on that (or at the very least the blades used).

0 Kudos
sandman
Explorer

I have not seen any information regarding custom intel feeds through management API, only ioc_feed in article sk132193. However that being said, I have the feed already ingesting through ioc_feeds and am now looking to report back to a logging server via cp_export_log (Log Exporter - Check Point Log Export). Really just need any assistance on defining how to filter the cp_export_log to only export on events where an IOC from ioc_feed has been seen. Cheers.

 

0 Kudos
sandman
Explorer

Hi there @PhoneBoy, did you or anyone manage to find out info to be used in "cp_export_log" command  to send events relating to and ioc_feeds being seen?

0 Kudos
PhoneBoy
Admin
Admin

Nothing that specifically covers this.
The approach I would take to find out is to see what log field(s) contain information related to the IoCs (mostly likely the “unique name” of the IoC, as noted in the IoC file).
Then you should be able to filter based on the contents of that field and the blades I mentioned.

0 Kudos