topic Re: Enabling other sourcetype inputs from OPSEC LEA in All Apps and Add-ons

Enabling other sourcetype inputs from OPSEC LEA

tiny3001 — Thu, 23 Jun 2016 10:35:37 GMT

Good day,

We have a client that recently added the new Anti-Bot, Anti-Virus and Threat Emulation blades to their Checkpoint installation.

We are already gathering their Firewall and SmartDefense logs via the older Checkpoint OPSEC LEA app. I've now migrated those inputs to the new app and everything seems to be up and running, however, can't seem to create inputs for the opsec:anti_malware and opsec:anti_virus sourcetypes. The drop-down list on the "Create input" screen does not allow checking for that.

Is there a step that I'm missing? Could it be that we need the client to change something on the Checkpoint Firewall?

I've even tried overriding the data field in opseclea_inputs.conf and tried values like anti_malware and anti_virus. The inputs screen just shows undefined for the data field if I do that.

Please help?

Re: Enabling other sourcetype inputs from OPSEC LEA

jamesarmitage — Thu, 23 Jun 2016 17:45:02 GMT

The opsec:antimalware and opsec:antivirus events should be pulled if you use the Non-Audit input.

I'm having trouble with that setting, but have managed to retrieve some of those events that way. I find that my data collection is hanging after an initial connection.

Re: Enabling other sourcetype inputs from OPSEC LEA

tiny3001 — Fri, 24 Jun 2016 12:09:19 GMT

Thank you. It doesn't seem intuitive at all, but I guess at some stage I could have just tried Non-Audit to see what it does.

I am also experiencing the data collection dying after a while.

Finally, there also seems to be an issue with the opsec:anti_bot sourcetype incorrectly going to opsec:anti_malware because of this bug posted on Check Points' website:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk111887

Re: Enabling other sourcetype inputs from OPSEC LEA

tiny3001 — Fri, 24 Jun 2016 12:24:42 GMT

I've also now tested both online mode and offline mode to see if it makes a difference. I get data flowing in for about 5 minutes and then it dies. Did not have this old issue with the older Check Point app.

Re: Enabling other sourcetype inputs from OPSEC LEA

tiny3001 — Fri, 24 Jun 2016 12:59:29 GMT

Some further testing: There's definitely a difference in how the old Check Point app and the new one pulled data data from the OPSEC application. I got annoyed by the fact that the default interval was '3600' on the new app and I kept changing it to '30' as per the default on the old app.

This quickly led to MANY lea_loggrabber instances running concurrently and I suspect that is what stopped the data flow.

I'm now back on the default interval of 3600 and things seem to be more stable... whether they'll stay that way after an hour is something I'll be reporting back on later...

Re: Enabling other sourcetype inputs from OPSEC LEA

tiny3001 — Mon, 27 Jun 2016 03:54:38 GMT

FYI: They didn't stay stable

Re: Enabling other sourcetype inputs from OPSEC LEA

jamesarmitage — Mon, 27 Jun 2016 16:59:30 GMT

I've noticed the exact same issue as you. I'm just about to open another question thread, with some additional background info that I've found. I believe it's a bug in the data-handling that only comes up with the Non-Audit setting.