All Apps and Add-ons
Highlighted

Detect Checkpoint FW action changes

Builder

Hello,

I'm trying to detect action changes (src/dst/action switching from drop to accept). Checkpoint FW addon is installed.

I thought about this query but it's way too long :

index=xxx action=drop earliest=-7d@d latest=@d sourcetype=opsec | eval srcdrop=src | eval dstdrop=dst| eval servicedrop=service | dedup src,dst,service | table src,dst,service,action | join src,dst,service [search index=xxx sourcetype=opsec action=accept earliest=@d latest=now | eval srcacc=src | eval dstacc=dst | eval serviceacc=service | eval acctime=strftime(time,"%y/%m/%d %H:%M") | dedup src,dst,service | table src,dst,service,action] | where srcdrop=srcacc AND dstdrop=dstacc AND servicedrop=serviceacc | table src,dst,service,action

Thanks.

0 Karma
Highlighted

Re: Detect Checkpoint FW action changes

Engager

How about something from the audit log? index=xxx product=SmartDashboard sourcetype=opsec_audit Operation="Modify Object"

0 Karma
Highlighted

Re: Detect Checkpoint FW action changes

Engager

How about a query from the audit log?

index=xxx product=SmartDashboard sourcetype=opsec_audit Operation="Modify Object"

Highlighted

Re: Detect Checkpoint FW action changes

Builder

Yes I thought about it but it won't give me src/dst/service table but thanks anyway.

0 Karma