Splunk Enterprise Security

Why is Check Point OPSEC LEA is parsing out dst to src and src to dst?

nb1030
New Member

In the logs for "New Anti Virus", the logs contain a "dst=" and "src=" field. For some logs, it is placing the "dst=" value into both the dst and the src fields. In other logs, it is placing the "dst=" value into the src field, and the "src=" value into the dst field. In other logs, it is putting the "dst=" value into both fields, but these logs then have the dest, dest_ip, and src_ip fields that contain the wrong values.

Examples for the "New Anti Virus" logs:
Log type 1
log contains dst=10.20.30.40; dst field contains 10.20.30.40
log contains src=50.60.70.80; src field contains 10.20.30.40

Log type 2
log contains dst=10.20.30.40; dst field contains 50.60.70.80
log contains src=50.60.70.80; src field contains 10.20.30.40

Log type 3
log contains dst=10.20.30.40; dst field contains 10.20.30.40, dest field contains 50.60.70.80, dest_ip=50.60.70.80
log contains src=50.60.70.80; src field contains 10.20.30.40, src_ip field contains 10.20.30.40

Is there anyway to fix this?

0 Karma

mgaudie_splunk
Splunk Employee
Splunk Employee

Looks like an issue with the field alaising. Have you made any changes to the add-on's props.conf file or added a local props.conf file?

0 Karma

nb1030
New Member

We have a ticket open now as it seems there are a few reasons this could be happening.

0 Karma

astatrial
Contributor

Hello,
Did you manage to figure out the reason for this behavior ?
Thanks !!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...