IBM Security QRadar

 View Only

  • 1.  qradar not parsing and mapping checkpoint logs using syslog

    Posted Wed November 04, 2020 07:49 AM

    Good day People,

    I am having this challenge with the logs I am getting from Checkpoint to my SIEM(qradar), after integrating same using syslog, OPSEC/LEA has been used already for our secondry site and we cant pull certificate twice where you have too SMS servers for checkpoint(Production and Dr)
    So I decided to use syslog to configure that following the DSM guide with the link below. But its not parsing and mapping the logs in the payload which has all the details

    Does anyone know how I Can deal with this.




    https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_Checkpoint_LEEF_payloads.html
    Ibm remove preview
    View this on Ibm >


    ------------------------------
    Chibuzo Arukwe
    ------------------------------


  • 2.  RE: qradar not parsing and mapping checkpoint logs using syslog

    Posted Wed November 04, 2020 08:58 AM

    When we moved to Check Point DSM over syslog, I had to change some of the properties used for mapping:

    Event Category
    Expression Type: LEEF
    Expression: $product$

    Event ID
    Expression Type: LEEF
    Expression: $eventid$

    LEEF Event ID
    Expression Type: LEEF
    Expression: $eventid$



    ------------------------------
    T
    ------------------------------

    Original Message


  • 3.  RE: qradar not parsing and mapping checkpoint logs using syslog

    Posted Thu November 05, 2020 04:01 AM

    Hi,

    Thanks for the help

    Yes used this and its parsing and mapping more  than before but I still see alot not parsed, did you notice same with yours and what did you do.

    Appreciate the help

    ------------------------------
    Chibuzo Arukwe
    ------------------------------

    Original Message


  • 4.  RE: qradar not parsing and mapping checkpoint logs using syslog

    Posted Thu November 05, 2020 07:00 AM
    Thank you so Much, I used Log exporter instead of just configuring syslog,to sending syslog over LEEF format and with the modification I made to eventid and event category unde DSM property field, also I enabled Property Autodetection as well for 980 events and everything is cool. i thanks again.

    Regards.


    ------------------------------
    Chibuzo Arukwe
    ------------------------------

    Original Message


  • 5.  RE: qradar not parsing and mapping checkpoint logs using syslog

    Posted Thu November 05, 2020 08:28 AM
    Yes, we saw the same thing and I am glad you remembered about the autodetection, that is a very useful feature!

    ------------------------------
    T
    ------------------------------

    Original Message


  • 6.  RE: qradar not parsing and mapping checkpoint logs using syslog

    Posted Thu November 05, 2020 10:12 AM
    Hi,

    Thank for the help, I have applied it and I can see its parsing a lot  of the logs compared to before, but I still see logs not being parced for firewall accept, see example below

    its not parsing and mapping this 
    <158>xxxxxxx admin: 23:58:50 5 13486578715268489418 16 accept 192.168.50.3 > eth1-01 LogId: 352; ContextNum: <max_null>; OriginSicName: CN=MainOne_EXT_VSX_GW02_MainOne_Perimeter_VS,O=xxxxxx.kyyqyx; duration: 3:00:00; last_hit_time: 4Nov2020 20:58:50; update_count: 2; creation_time: 4Nov2020 20:58:50; connection_count: 1; aggregated_log_count: 1; src: xxx.107.xxx.179; dst: xxx.13x.x; proto: tcp; user: ; src_user_name: ; src_machine_name: ; src_user_dn: ; snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; service_id: TCP_All_SourcePort; inzone: External; outzone: Local; UP_match_table: TABLE_START; ROW_START: 0; match_id: 19; layer_uuid: xxxxxxxxxxxxxxxxxxxxxxxx; layer_name: PERIMETER-VS-POLICY Network; rule_uid: 1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ; rule_name: Stealth Rule; ROW_END: 0; ROW_START: 1; match_id: 33554445; layer_uuid:xxxxxxxxxxxxxxxxxxx; layer_name: AppControl&UrlFiltering; rule_uid: xxxxxxxxxxxxxxxxx; rule_name: Cleanup rule; R

    This one above is a whole alot over 21,000 events in 15min compared to the once parsed which is over 1500
    but it is parsing and mapping this 

    <158>xxxxxxx admin: 23:59:00 5 N/A 279 accept 172.21.23.9 > bond1.3013 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MainOne_VSX_GW02_MainOne_DC_VS,O=xxxxxxxxx; inzone: Internal; outzone: Internal; service_id: echo-request; ICMP: Echo Request; src: xxxxxx; dst: xxxxxxxxxx; proto: icmp; ICMP Type: 8; ICMP Code: 0; UP_match_table: TABLE_START; ROW_START: 0; match_id: 0; layer_uuid: xxxxxxxxxxxxxxxxxxxxxxxxxxxx; layer_name: Network; rule_uid: xxxxxxxxxxxxxxxxxxxxx; rule_name: Implied Rule ; ROW_END: 0; UP_match_table: TABLE_END; src_user_name: Fidelity Model (xxxxxxxxxxl@fidelitybank.ng)(+)Abdul-Fxxxxxx(xxxx@fidelitybank.ng); src_machine_name: dr-newonlinbken@fidelitybank.ng; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;




    ------------------------------
    Chibuzo Arukwe
    ------------------------------

    Original Message


  • 7.  RE: qradar not parsing and mapping checkpoint logs using syslog

    Posted Thu November 05, 2020 11:29 AM
    Can you configure Check Point to send the events with LEEF 2.0 format?  Otherwise you will have to compare those event payloads that are not parsing to ones that are and see what the differences are and add overrides to the event ID and category parsing on the DSM.

    ------------------------------
    T
    ------------------------------

    Original Message