Solved: Re: Enabling other sourcetype inputs from OPSEC LE...

tiny3001 · ‎06-23-2016

Good day,

We have a client that recently added the new Anti-Bot, Anti-Virus and Threat Emulation blades to their Checkpoint installation.

We are already gathering their Firewall and SmartDefense logs via the older Checkpoint OPSEC LEA app. I've now migrated those inputs to the new app and everything seems to be up and running, however, can't seem to create inputs for the opsec:anti_malware and opsec:anti_virus sourcetypes. The drop-down list on the "Create input" screen does not allow checking for that.

Is there a step that I'm missing? Could it be that we need the client to change something on the Checkpoint Firewall?

I've even tried overriding the data field in opseclea_inputs.conf and tried values like anti_malware and anti_virus. The inputs screen just shows undefined for the data field if I do that.

Please help?

jamesarmitage · ‎06-23-2016

The opsec:antimalware and opsec:antivirus events should be pulled if you use the Non-Audit input.

I'm having trouble with that setting, but have managed to retrieve some of those events that way. I find that my data collection is hanging after an initial connection.

View solution in original post

jamesarmitage · ‎06-23-2016

The opsec:antimalware and opsec:antivirus events should be pulled if you use the Non-Audit input.

I'm having trouble with that setting, but have managed to retrieve some of those events that way. I find that my data collection is hanging after an initial connection.

tiny3001 · ‎06-24-2016

Some further testing: There's definitely a difference in how the old Check Point app and the new one pulled data data from the OPSEC application. I got annoyed by the fact that the default interval was '3600' on the new app and I kept changing it to '30' as per the default on the old app.

This quickly led to MANY lea_loggrabber instances running concurrently and I suspect that is what stopped the data flow.

I'm now back on the default interval of 3600 and things seem to be more stable... whether they'll stay that way after an hour is something I'll be reporting back on later...

tiny3001 · ‎06-26-2016

FYI: They didn't stay stable

jamesarmitage · ‎06-27-2016

I've noticed the exact same issue as you. I'm just about to open another question thread, with some additional background info that I've found. I believe it's a bug in the data-handling that only comes up with the Non-Audit setting.

tiny3001 · ‎06-24-2016

I've also now tested both online mode and offline mode to see if it makes a difference. I get data flowing in for about 5 minutes and then it dies. Did not have this old issue with the older Check Point app.

tiny3001 · ‎06-24-2016

Thank you. It doesn't seem intuitive at all, but I guess at some stage I could have just tried Non-Audit to see what it does.

I am also experiencing the data collection dying after a while.

Finally, there also seems to be an issue with the opsec:anti_bot sourcetype incorrectly going to opsec:anti_malware because of this bug posted on Check Points' website:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Enabling other sourcetype inputs from OPSEC LEA

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?