This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FM
Contributor
‎2020-09-21 01:05 PM
Jump to solution

missing key field “action” in IPS raw log sent to Arcsight SIEM

While reviewing the IPS raw log sent to Arcsight SIEM to identify a key field “action” that is available on the console, and required in the usecase to trigger a matching IPS incident is missing the key field “action”.

As we do not want to trigger an Incident/alert for threats that are already blocked (under action: Prevent, block, Redirect), the key field (“action”) highlighted in the attached screenshot is required. Can you tell me how we can address this blocking point?

 

 

Preview file
7 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-09-27 08:59 PM
In response to FM
Jump to solution

You can see what fields we can send here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Log Exporter can be configured to filter specific logs as well: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
The configuration may need to be adjusted appropriately. 

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2020-09-23 03:17 PM
Jump to solution

How precisely are you sending logs to Arcsight?

FM
Contributor
‎2020-09-24 07:24 AM
In response to PhoneBoy
Jump to solution

Can you elaborate on "How precisely are you sending logs to Arcsight?"

We receive the logs thru syslog from the managers. The logs are formatted as CEF natively when sent to us. Here is a sanitized example

Sep 24 13:25:25 x.x.x.x  CEF:0|Check Point|SmartDefense|Check Point|IPS|Resource Records Enforcement|Very-High|cp_severity=Very-High cs2Label=Protection ID cs2=asm_dynamic_prop_dns_rr cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Resource Records Enforcement deviceDirection=0 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=Resource Records Enforcement - Excessive number of Resource Records detected in reply msg=DNS Enforcement Violation rt=1600953924000 loguid={0x8exxxxxx,0xefcxxxxx,0x7dfxxxxx,0xf3xxxxxx} origin=x.x.x.x originsicname=CN\=EXTERNAL,O\=hostname.domain.com.xxxxxxx sequencenum=370 version=5 description_url=dns_rr_help.html product=SmartDefense smartdefense_profile=xxxxxxxx_Recommended_Protection src=x.x.x.x

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-27 08:59 PM
In response to FM
Jump to solution

You can see what fields we can send here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Log Exporter can be configured to filter specific logs as well: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
The configuration may need to be adjusted appropriately. 

LostBoY
Advisor
‎2022-01-11 04:43 AM
In response to FM
Jump to solution

Hello,

Did you get around this issue ?.. i too am looking for "Action" field precisely for the same reason as yours.

0 Kudos
FM
Contributor
‎2022-01-11 05:51 AM
In response to LostBoY
Jump to solution

@LostBoY 

The last response from the Checkpoit SME I worked with was to make a feature request to have the  "Action" field added .

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events