Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FM
Contributor
Jump to solution

missing key field “action” in IPS raw log sent to Arcsight SIEM

While reviewing the IPS raw log sent to Arcsight SIEM to identify a key field “action” that is available on the console, and required in the usecase to trigger a matching IPS incident is missing the key field “action”.

As we do not want to trigger an Incident/alert for threats that are already blocked (under action: Prevent, block, Redirect), the key field (“action”) highlighted in the attached screenshot is required. Can you tell me how we can address this blocking point?

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

You can see what fields we can send here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Log Exporter can be configured to filter specific logs as well: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
The configuration may need to be adjusted appropriately. 

View solution in original post

5 Replies
PhoneBoy
Admin
Admin

How precisely are you sending logs to Arcsight?

FM
Contributor

Can you elaborate on "How precisely are you sending logs to Arcsight?"

We receive the logs thru syslog from the managers. The logs are formatted as CEF natively when sent to us. Here is a sanitized example

Sep 24 13:25:25 x.x.x.x  CEF:0|Check Point|SmartDefense|Check Point|IPS|Resource Records Enforcement|Very-High|cp_severity=Very-High cs2Label=Protection ID cs2=asm_dynamic_prop_dns_rr cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Resource Records Enforcement deviceDirection=0 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=Resource Records Enforcement - Excessive number of Resource Records detected in reply msg=DNS Enforcement Violation rt=1600953924000 loguid={0x8exxxxxx,0xefcxxxxx,0x7dfxxxxx,0xf3xxxxxx} origin=x.x.x.x originsicname=CN\=EXTERNAL,O\=hostname.domain.com.xxxxxxx sequencenum=370 version=5 description_url=dns_rr_help.html product=SmartDefense smartdefense_profile=xxxxxxxx_Recommended_Protection src=x.x.x.x

0 Kudos
PhoneBoy
Admin
Admin

You can see what fields we can send here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Log Exporter can be configured to filter specific logs as well: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
The configuration may need to be adjusted appropriately. 

LostBoY
Advisor

Hello,

Did you get around this issue ?.. i too am looking for "Action" field precisely for the same reason as yours.

0 Kudos
FM
Contributor

@LostBoY 

The last response from the Checkpoit SME I worked with was to make a feature request to have the  "Action" field added .

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events