Getting Data In

CheckPoint VPN - Get username with each firewall log

o_calmels
Communicator

Hi splunkers,

I need to enrich the Checkpoint Firewall logs with the username in my corporate VPN logs.
On a first sourcetype, I have the name of the user with his DHCP IP address in the VPN (field name : office_mode_ip).
On a second sourcetype, I have the firewall traffic log with this same DHCP IP (field name : src).
The DHCP has a 10h lease.
I do not find how to get the associated user for each Firewall log. How can i make a join over the same time range to avoid error on DHCP lease change?

The first log with login details ==> user=Alain DUBOIS 123 (Alain.dubois@mydomain.com), office_mode_ip=10.245.131.237

time=1570087243|loc=1589977|fileid=1570053600|action=authcrypt|orig=0.0.0.0|i/f_dir=inbound|has_accounting=0|logId=-1|log_type=log|log_sequence_num=119|is_first_for_luuid=0|log_version=5|origin_sic_name=CN=FW_VPN01,O=vu.jmsp.prod.sq5ad5|uuid=<5d95a14b,00000000,0140a30a,0000116d>|product=xxxxxxxx|cvpn_category=Session|event_type=Login|client_name=Check Point Mobile|client_version=xxxxx|client_build=xxxxxxx|user=Alain DUBOIS 123 (Alain.dubois@mydomain.com)|auth_method=Password|login_option=Authentification IPSEC|failed_login_factor_num=0|user_dn=CN=Dominique ROBERT 841,OU=Administrateurs,OU=W7,OU=841-Utilisateurs,DC=mydomain,DC=com|user_group=GrpLDAP_VPNSSL, ad_group_VPNSSL_238285|host_type=PC|os_name=Windows|os_version=10|os_build=17763|os_bits=64bit|device_identification={xxxxxxxxxxxxxxxxxxxxxxxxxxx}|session_timeout=10:00:00|login_timestamp= 3Oct2019  9:20:43|src=aa.bb.cc.dd|host_ip=192.168.1.212|office_mode_ip=10.245.131.237|s_port=0|proto=tcp|service=443|tunnel_protocol=IPSec|methods:=3DES + SHA1|status=Success|Suppressed_Logs=0|mac_address=50:76:af:3a:eb:57|Hostname=p0006841|domain_name=mydomain.com|auth_encryption_methods=AES-256 + SHA1 + Group 2

then, the second sourcetype with src=10.245.131.237

time=1570087396|loc=1622048|fileid=1570053600|action=decrypt|orig=aa.bb.cc.dd|i/f_dir=inbound|i/f_name=wrp193|has_accounting=0|logId=0|log_type=connection|log_sequence_num=52|is_first_for_luuid=131072|log_version=5|origin_sic_name=CN=FW_VPN01,O=vu.jmsp.jmsp.prod.sq5ad5|uuid=<5d95a1e4,00000009,0140a30a,c0001800>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={xxxxxxxxxxxxxxxxxxxxxxxxx};mgmt=xxxxxxx;date=1570034884;policy_name=Regles_VS_VPN01]|inzone=External|outzone=Internal|service_id=cp_tcp_xxxxxxxxxx|src=10.245.131.237|s_port=49438|dst=10.160.16.247|service=10123|proto=tcp|scheme:=IKE|methods:=ESP: 3DES + SHA1|peer gateway=10.245.131.237|community=RemoteAccess|fw_subproduct=VPN-1|vpn_feature_name=VPN|LastUpdateTime= 3Oct2019 9:23:16|match_id=19|match_table.match_id=19|layer_uuid=129b5909-9ae6-48d5-8ee6-0dfb64ca827f|match_table.layer_uuid=129b5909-9ae6-48d5-8ee6-0dfb64ca827f|layer_name=Regles_VS_VPN01 Network|match_table.layer_name=Regles_VS_VPN01 Network|rule_uid=fbe622a8-fa24-4fe1-b372-bc63f23eb6f9|match_table.rule_uid=fbe622a8-fa24-4fe1-b372-bc63f23eb6f9|rule_name=Flux nomades|match_table.rule_name=Flux |rule_action=2|match_table.rule_action=2|parent_rule=0

I can get a real time list of DHCP adress affected with

 index="checkpoint_vpnssl"  event_type=Login | stats latest(user_dn) by  office_mode_ip

, but how to link each fw log and this result in a way to have updated couple of user / IP?

Any idees ?
Thanks

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

There's a variety of ways to do this.

One I've had success with is to take your second search and create a time based lookup out of it. This will of course involve actually creating a lookup out of it in the first place, but that's also documented. There's a third, possibly more thorough, look at time based lookups here. A key point here is all those links came from the top couple of hits when I searched the web for "splunk create lookup time", so more examples and help should be easy to come across.

The lookup that you create can be scheduled to run fairly often, like once every 5 minutes, or even every minute. There's a tutorial you can probably adapt to help with this. This uses a KV store collection instead of a CSV based lookup, but that's fine and possibly better in this case anyway.

Then you can set that up to happen automatically (see those first links for instructions), or add it in manually like my search here | lookup fieldinlookup AS fieldnameinevents OUTPUT ...

Hopefully this helps!

Happy Splunking,
Rich

Once you have that,

View solution in original post

0 Karma

o_calmels
Communicator

After some research and test about kvstore, all is OK now.
If that helps, here are all the files needed in one app

Create an app with these files :

AppName/local/app.conf

[install]
state = enabled

[package]
check_for_updates = false

[ui]
is_visible = false
is_manageable = false
label = Checkpoint DHCP KvStore - TA


[launcher]
author = Olivier CALMELS
description = Automaticaly link Checkpoint DHCP logs with firewall log to merge them in the specified time rage
version = 1.5

AppName/local/collections.conf

# KVSTORE definition to save a timeline of IP / User / time entries.
# This KVSTORE is filled with a scheduled search every minute that append results to the KV Store
# "fileds.*****" are the same than the scheduled search results

[VPN-SSL_DHCP_collection]
field.office_mode_ip = string
field.domain_name = string
field._time = string
field.user_dn = string

# Acceleration in this KvStore
accelerated_fields.my_accel = {"user_dn": 1}

# My architecture has 3 indexers, so ==> Replication
replicate = true

AppName/local/transforms.conf

# Lookup definition that links the lookup with the KvStore and allow to querry the KvStore defined in collections.conf

[VPN-SSL_DHCP_lookup]
external_type = kvstore
collection = VPN-SSL_DHCP_collection
case_sensitive_match = False
fields_list = _key,_time,office_mode_ip,domain_name,user_dn

# The fileds time_* are necessary to set time based lookup
time_field = _time
time_format = %s

AppName/local/props.conf

# Automate the link between the firewall logs and the KvStore.
# If the IP match (office_mode_ip AS src ) domain_name et user_dn are appended to the results
# This props is limited to one host for automatic lookup.

[host::CheckPointManagerName]
LOOKUP-VPNSS_Automatic_Lookup = VPN-SSL_DHCP_lookup office_mode_ip AS src OUTPUTNEW domain_name AS domain_name user_dn AS user_dn

AppName/local/savedsearches.conf

[Do-Not-Click_VPN-SSL_Office-Mode_DHCP_KvStore_Filling]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = */1 * * * *
dispatch.earliest_time = -1min@min
dispatch.latest_time = -0min@min
enableSched = 1
search = index="checkpoint_vpnssl" event_type=Login |  stats values(user_dn) by office_mode_ip domain_name _time | rename values(user_dn) as user_dn | outputlookup append=true VPN-SSL_DHCP_lookup
0 Karma

Richfez
SplunkTrust
SplunkTrust

There's a variety of ways to do this.

One I've had success with is to take your second search and create a time based lookup out of it. This will of course involve actually creating a lookup out of it in the first place, but that's also documented. There's a third, possibly more thorough, look at time based lookups here. A key point here is all those links came from the top couple of hits when I searched the web for "splunk create lookup time", so more examples and help should be easy to come across.

The lookup that you create can be scheduled to run fairly often, like once every 5 minutes, or even every minute. There's a tutorial you can probably adapt to help with this. This uses a KV store collection instead of a CSV based lookup, but that's fine and possibly better in this case anyway.

Then you can set that up to happen automatically (see those first links for instructions), or add it in manually like my search here | lookup fieldinlookup AS fieldnameinevents OUTPUT ...

Hopefully this helps!

Happy Splunking,
Rich

Once you have that,

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...