This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sandman
Explorer
‎2021-03-21 03:37 PM

Exporting logs from custom threat intelligence

Hi there,

I am configuring the importing of custom threat intelligence feeds into the R80.40 checkpoint security gateway. 

I am trying to configure exporting of specific events to a external syslog server.

If an IOC from from custom threat intelligence feed is seen, I would like the associated event/log sent for this indicator sent to an external syslog server/collector. 

I understand it is possible to send filtered logs to an external syslog server, however I am unsure of the ids/identifiers for the custom threat intelligence feed logs to filter on. 

Does anyone know how to do this?

Cheers,

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-03-21 05:44 PM

How precisely are you importing the IoCs?
In any case, IoCs are blocked with either Anti-Virus or Anti-Bot.

0 Kudos
sandman
Explorer
‎2021-03-21 06:46 PM
In response to PhoneBoy

Hi there PhoneBoy,

Unsure what you mean by "How precisely". I am using multiple custom intelligence "ioc_feeds add" commands to pull different IOC types via an API through https from one threat intelligence provider. The organisation who provides the feeds requires reporting on what IOCs from their feed are seen by the checkpoint.

Is it possible to send logs (from Anti-virus/Anti-bot blades?) to an external syslog server relating to the custom ioc feed IOCSs being seen?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-21 07:12 PM
In response to sandman

You can also define IoCs via the management APIs, which is different than importing them via ioc_feeds.

Each indicator should have a unique name associated with it.
Offhand, I don't remember exactly what field it shows up in.
@TP_Master do you happen to know?

I would think you could filter based on that (or at the very least the blades used).

0 Kudos
sandman
Explorer
‎2021-03-21 10:31 PM
In response to PhoneBoy

I have not seen any information regarding custom intel feeds through management API, only ioc_feed in article sk132193. However that being said, I have the feed already ingesting through ioc_feeds and am now looking to report back to a logging server via cp_export_log (Log Exporter - Check Point Log Export). Really just need any assistance on defining how to filter the cp_export_log to only export on events where an IOC from ioc_feed has been seen. Cheers.

 

0 Kudos
sandman
Explorer
‎2021-03-23 01:47 PM
In response to sandman

Hi there @PhoneBoy, did you or anyone manage to find out info to be used in "cp_export_log" command  to send events relating to and ioc_feeds being seen?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-23 02:16 PM
In response to sandman

Nothing that specifically covers this.
The approach I would take to find out is to see what log field(s) contain information related to the IoCs (mostly likely the “unique name” of the IoC, as noted in the IoC file).
Then you should be able to filter based on the contents of that field and the blades I mentioned.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events