All Apps and Add-ons

Enabling other sourcetype inputs from OPSEC LEA

tiny3001
Path Finder

Good day,

We have a client that recently added the new Anti-Bot, Anti-Virus and Threat Emulation blades to their Checkpoint installation.

We are already gathering their Firewall and SmartDefense logs via the older Checkpoint OPSEC LEA app. I've now migrated those inputs to the new app and everything seems to be up and running, however, can't seem to create inputs for the opsec:anti_malware and opsec:anti_virus sourcetypes. The drop-down list on the "Create input" screen does not allow checking for that.

Is there a step that I'm missing? Could it be that we need the client to change something on the Checkpoint Firewall?

I've even tried overriding the data field in opseclea_inputs.conf and tried values like anti_malware and anti_virus. The inputs screen just shows undefined for the data field if I do that.

Please help?

0 Karma
1 Solution

jamesarmitage
Path Finder

The opsec:antimalware and opsec:antivirus events should be pulled if you use the Non-Audit input.

I'm having trouble with that setting, but have managed to retrieve some of those events that way. I find that my data collection is hanging after an initial connection.

View solution in original post

jamesarmitage
Path Finder

The opsec:antimalware and opsec:antivirus events should be pulled if you use the Non-Audit input.

I'm having trouble with that setting, but have managed to retrieve some of those events that way. I find that my data collection is hanging after an initial connection.

tiny3001
Path Finder

Some further testing: There's definitely a difference in how the old Check Point app and the new one pulled data data from the OPSEC application. I got annoyed by the fact that the default interval was '3600' on the new app and I kept changing it to '30' as per the default on the old app.

This quickly led to MANY lea_loggrabber instances running concurrently and I suspect that is what stopped the data flow.

I'm now back on the default interval of 3600 and things seem to be more stable... whether they'll stay that way after an hour is something I'll be reporting back on later...

0 Karma

tiny3001
Path Finder

FYI: They didn't stay stable

0 Karma

jamesarmitage
Path Finder

I've noticed the exact same issue as you. I'm just about to open another question thread, with some additional background info that I've found. I believe it's a bug in the data-handling that only comes up with the Non-Audit setting.

0 Karma

tiny3001
Path Finder

I've also now tested both online mode and offline mode to see if it makes a difference. I get data flowing in for about 5 minutes and then it dies. Did not have this old issue with the older Check Point app.

0 Karma

tiny3001
Path Finder

Thank you. It doesn't seem intuitive at all, but I guess at some stage I could have just tried Non-Audit to see what it does.

I am also experiencing the data collection dying after a while.

Finally, there also seems to be an issue with the opsec:anti_bot sourcetype incorrectly going to opsec:anti_malware because of this bug posted on Check Points' website:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...