Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Checkpoint traffic logs | ✅ | ✅ | checkpoint_traffic | Syslog | S3 |
Overview
This article explains how to ingest your Check Point appliances' logs to Hunters.
Check Point Infinity's portfolio of solutions protects enterprises and public organisations from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and other threats.
Supported data types
Checkpoint traffic logs
Table name: checkpoint_traffic
Checkpoint traffic logs record data and analysis related to the flow of network traffic through Checkpoint firewall devices. These logs include detailed information on allowed and blocked traffic, tracking source and destination IP addresses, ports used, protocols, action taken by the firewall, and more. They are essential for security analysis, troubleshooting network issues, and ensuring compliance with security policies.
Send data to Hunters
💡Before you start
To complete the connection of these logs, you'll need to set up a Syslog server.
To complete the connection of these logs, you'll need to forward logs from Check Point's Log Exporter to a Syslog server and then ship them to AWS S3.
1. Forward Logs to the Syslog server
Follow Check Point's Log Export documentation to start forwarding logs from the Check Point log servers to your Syslog server. Be sure to ship the logs in the Syslog RFC 5424 format. If you are using Fluentd as your syslog server, set support_colonless_ident to false.
2. Ship the logs from the Syslog server to S3
📘 Useful resources
Use this detailed guide to learn how best to set up an S3 bucket for Hunters ingestion purposes and how to provide Hunters platform with access to the bucket.
Configure the Syslog server to ship the logs received to an S3 bucket shared with Hunters. If you're using Fluentd, make sure to send only the actual Syslog payload (the extradata section), by adding this clause to the out_s3 configuration:
<format>
@type single_value
message_key extradata
</format>
3. Verify files were written to S3
Browse to the S3 bucket to which the Syslog forwarder is set to send data.
Download the latest file and open it.
Make sure it is formatted as detailed in the Supported log formats section below.
4. Grant Hunters access to the S3 bucket
Complete the process as decribed in this guide.
Expected format
Hunters expects Check Point log files to be in the Check Point Syslog format, as outputted by the Check Point Log Exporter. The following is an example of a typical log line:
[action:"Accept"; flags:"000000"; ifdir:"inbound"; ifname:"eth3"; logid:"0";
origin:"192.168.1.1"; user:"John Smith (j.smith) "]
To achieve this result, send the logs as-is without extra wrappers and customizations. If you are using Fluentd as your Syslog server, additional instructions to achieve this can be found here.