Check Point-Firewall-Logs erfassen
Unterstützt in:
Google SecOps
SIEM
In diesem Dokument wird beschrieben, wie Sie Check Point-Firewall-Logs mit dem Bindplane-Agent in Google Security Operations aufnehmen.
Check Point-Firewalls generieren Protokolle für Netzwerkverbindungen, Sicherheitsereignisse, VPN-Aktivitäten, Schutz vor Bedrohungen und administrative Vorgänge. Der Parser extrahiert Schlüssel/Wert- und CEF-Felder und ordnet sie dem Unified Data Model (UDM) zu.
Hinweis
Prüfen Sie, ob folgende Voraussetzungen erfüllt sind:
- Eine Google SecOps-Instanz
- Windows Server 2016 oder höher oder Linux-Host mit
systemd - Netzwerkverbindung zwischen dem Bindplane-Agent und der Check Point-Firewall
- Wenn Sie den Agent hinter einem Proxy ausführen, müssen die Firewallports gemäß den Anforderungen des Bindplane-Agents geöffnet sein.
- Privilegierter Zugriff auf die Check Point-Firewall-UI
Authentifizierungsdatei für die Google SecOps-Datenaufnahme abrufen
- Melden Sie sich in der Google SecOps-Konsole an.
- Rufen Sie die SIEM-Einstellungen > Collection Agents auf.
- Authentifizierungsdatei für die Datenaufnahme herunterladen
Speichern Sie die Datei sicher auf dem System, auf dem der BindPlane-Agent installiert wird.
Google SecOps-Kundennummer abrufen
- Melden Sie sich in der Google SecOps-Konsole an.
- Rufen Sie die SIEM-Einstellungen > Profile auf.
Kopieren und speichern Sie die Kunden-ID aus dem Bereich Organisationsdetails.
BindPlane-Agent installieren
Installieren Sie den Bindplane-Agent auf Ihrem Windows- oder Linux-Betriebssystem gemäß der folgenden Anleitung.
Fenstereinbau
- Öffnen Sie die Eingabeaufforderung oder PowerShell als Administrator.
Führen Sie dazu diesen Befehl aus:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quietWarten Sie, bis die Installation abgeschlossen ist.
Überprüfen Sie die Installation mit folgendem Befehl:
sc query observiq-otel-collectorDer Dienst sollte als RUNNING (Wird ausgeführt) angezeigt werden.
Linux-Installation
- Öffnen Sie ein Terminal mit Root- oder Sudo-Berechtigungen.
Führen Sie dazu diesen Befehl aus:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.shWarten Sie, bis die Installation abgeschlossen ist.
Überprüfen Sie die Installation mit folgendem Befehl:
sudo systemctl status observiq-otel-collectorDer Dienst sollte als aktiv (wird ausgeführt) angezeigt werden.
Zusätzliche Installationsressourcen
Weitere Installationsoptionen und Informationen zur Fehlerbehebung finden Sie in der Installationsanleitung für den Bindplane-Agent.
BindPlane-Agent zum Erfassen von Syslog-Daten und Senden an Google SecOps konfigurieren
Konfigurationsdatei suchen
Linux:
sudo nano /etc/bindplane-agent/config.yamlWindows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Konfigurationsdatei bearbeiten
Ersetzen Sie den gesamten Inhalt von
config.yamldurch die folgende Konfiguration:receivers: udplog: listen_address: "0.0.0.0:514" exporters: chronicle/checkpoint_firewall: compression: gzip creds_file_path: '/etc/bindplane-agent/ingestion-auth.json' customer_id: '<customer_id>' endpoint: malachiteingestion-pa.googleapis.com log_type: CHECKPOINT_FIREWALL raw_log_field: body service: pipelines: logs/checkpoint_firewall_to_chronicle: receivers: - udplog exporters: - chronicle/checkpoint_firewall
Konfigurationsparameter
Ersetzen Sie die folgenden Platzhalter:
Empfängerkonfiguration:
listen_address: IP-Adresse und Port, auf die gewartet werden soll:0.0.0.0, um alle Schnittstellen zu überwachen (empfohlen)- Port
514ist der Standard-Syslog-Port (erfordert Root unter Linux; verwenden Sie1514für Nicht-Root).
Exporter-Konfiguration:
creds_file_path: Vollständiger Pfad zur Datei für die Authentifizierung bei der Aufnahme:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
customer_id: Die Kundennummer, die aus der Google SecOps Console kopiert wurdeendpoint: Regionale Endpunkt-URL:- USA:
malachiteingestion-pa.googleapis.com - Europa:
europe-malachiteingestion-pa.googleapis.com - Asien:
asia-southeast1-malachiteingestion-pa.googleapis.com - Eine vollständige Liste finden Sie unter Regionale Endpunkte.
- USA:
Konfigurationsdatei speichern
- Speichern Sie die Datei nach der Bearbeitung:
- Linux: Drücken Sie
Ctrl+O, dannEnterund dannCtrl+X. - Windows: Klicken Sie auf Datei > Speichern.
- Linux: Drücken Sie
Bindplane-Agent neu starten, um die Änderungen zu übernehmen
Führen Sie den folgenden Befehl aus, um den Bindplane-Agent unter Linux neu zu starten:
sudo systemctl restart observiq-otel-collectorPrüfen Sie, ob der Dienst ausgeführt wird:
```bash sudo systemctl status observiq-otel-collector ```Logs auf Fehler prüfen:
```bash sudo journalctl -u observiq-otel-collector -f ```
Wählen Sie eine der folgenden Optionen aus, um den Bindplane-Agent unter Windows neu zu starten:
Eingabeaufforderung oder PowerShell als Administrator:
net stop observiq-otel-collector && net start observiq-otel-collectorServices-Konsole:
- Drücken Sie
Win+R, geben Sieservices.mscein und drücken Sie die Eingabetaste. - Suchen Sie nach observIQ OpenTelemetry Collector.
- Klicken Sie mit der rechten Maustaste und wählen Sie Neu starten aus.
Prüfen Sie, ob der Dienst ausgeführt wird:
sc query observiq-otel-collectorLogs auf Fehler prüfen:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- Drücken Sie
Syslog-Export in einer Check Point-Firewall konfigurieren
- Melden Sie sich mit einem Konto mit Berechtigungen in der Check Point-Firewall-Benutzeroberfläche an.
- Rufen Sie Logs & Monitoring > Log-Server auf.
- Rufen Sie Syslog Servers (Syslog-Server) auf.
- Klicken Sie auf Konfigurieren und legen Sie die folgenden Werte fest:
- Protokoll: Wählen Sie UDP aus, um Sicherheits- und/oder Systemprotokolle zu senden.
- Name: Geben Sie einen eindeutigen Namen an (z. B.
Bindplane_Server). - IP-Adresse: Geben Sie die IP-Adresse Ihres Syslog-Servers (Bindplane-IP) an.
- Port: Geben Sie den Port Ihres Syslog-Servers (Bindplane-Port) an.
- Wählen Sie Logserver aktivieren aus.
- Wählen Sie die weiterzuleitenden Protokolle aus: Sowohl System- als auch Sicherheitsprotokolle.
- Klicken Sie auf Übernehmen.
UDM-Zuordnungstabelle
| Logfeld | UDM-Zuordnung |
|---|---|
@timestamp |
metadata.event_timestamp |
__id |
additional.fields |
__nsons |
additional.fields |
__p_dport |
additional.fields |
__pos |
additional.fields |
_action |
security_result.action_id |
access_method |
metadata.product_event_type |
acks_total |
additional.fields |
act |
security_result.action_details |
Action |
additional.fields |
action_details |
additional.fields |
action_reason |
security_result.detection_fields |
Activity |
security_result.summary |
additional_info |
security_result.description,security_result.detection_fields |
administrator |
target.user.userid |
aggregated_log_count |
security_result.detection_fields |
alert |
security_result.detection_fields |
answer_rdata |
additional.fields |
app |
principal.application |
app_activity |
security_result.description |
app_category |
security_result.category_details |
app_desc |
additional.fields |
app_id |
additional.fields |
app_properties |
additional.fields,security_result.detection_fields |
app_risk |
security_result.detection_fields |
app_session_id |
network.session_id |
app_sig_id |
additional.fields |
appcategory |
additional.fields |
appi_name |
security_result.detection_fields |
application |
principal.application |
application_version |
additional.fields |
arrival_time |
additional.fields |
attachment_link |
additional.fields |
attachments_num |
additional.fields |
attack |
security_result.threat_name |
attack_info |
security_result.description |
attack_status |
additional.fields |
attack_traffic_bps |
additional.fields |
attackStatus |
security_result.detection_fields |
audit_status |
additional.fields |
auth_method |
additional.fields |
auth_status |
security_result.summary |
authentication_trial |
additional.fields |
authority_rdata |
principal.resource.attribute.labels |
authorization |
security_result.detection_fields |
bandwidth |
security_result.detection_fields |
best_practice_id |
security_result.detection_fields |
blade_name |
security_result.detection_fields |
browse_time |
additional.fields |
browser |
network.http.user_agent |
bytes |
additional.fields |
c_bytes |
additional.fields |
calc_desc |
security_result.description |
calc_service |
additional.fields |
cat |
security_result.detection_fields |
category |
security_result.category_details |
cb_bp_blade |
additional.fields |
cb_rate |
additional.fields |
cb_recommendation |
additional.fields |
cb_relevantobjectname |
additional.fields |
cb_relevantobjectstatus |
additional.fields |
cb_scan_id |
security_result.detection_fields |
cb_status |
additional.fields |
certificate_validity |
additional.fields |
client_inbound_bytes |
principal.network.received_bytes |
client_inbound_interface |
additional.fields |
client_inbound_packets |
principal.network.received_packets |
client_ip |
principal.ip,principal.asset.ip |
client_name |
security_result.detection_fields |
client_outbound_bytes |
principal.network.sent_bytes |
client_outbound_interface |
additional.fields |
client_outbound_packets |
principal.network.sent_packets |
client_to_gateway_ciphers |
additional.fields |
client_type_os |
principal.platform |
client_version.0 |
intermediary.platform_version |
cloud_hourly_quota |
additional.fields |
cloud_hourly_quota_exceeded |
additional.fields |
cloud_hourly_quota_usage_for_quota_id |
additional.fields |
cloud_hourly_quota_usage_for_this_gw |
additional.fields |
cloud_hourly_remaining_quota |
additional.fields |
cloud_last_quota_update_gmt_time |
additional.fields |
cloud_monthly_quota |
additional.fields |
cloud_monthly_quota_exceeded |
additional.fields |
cloud_monthly_quota_period_end |
additional.fields |
cloud_monthly_quota_period_start |
additional.fields |
cloud_monthly_quota_usage_for_quota_id |
additional.fields |
cloud_monthly_quota_usage_for_this_gw |
additional.fields |
cloud_quota_description |
additional.fields |
cloud_quota_identifier |
additional.fields |
cloud_quota_status |
additional.fields |
cloud_remaining_quota |
additional.fields |
cluster_info |
additional.fields |
cn2 |
additional.fields |
cn3 |
additional.fields |
comment |
security_result.description |
community |
additional.fields |
condition |
additional.fields |
confidence_level |
security_result.confidence |
conn_direction |
network.direction,additional.fields |
connection_count |
security_result.detection_fields |
connection_luuid |
additional.fields |
connection_uid |
additional.fields |
consent_flag_status |
additional.fields |
consent_flag_value |
additional.fields |
content_disposition |
target.file.names |
content_length |
target.file.size |
content_risk |
additional.fields |
content_type |
target.file.mime_type |
context_num |
additional.fields |
contextnum |
additional.fields |
contract_name |
security_result.detection_fields |
control_log_type |
additional.fields |
controller |
additional.fields |
cookiei |
additional.fields |
cookier |
additional.fields |
cp_component_name |
additional.fields |
cp_component_version |
additional.fields |
creation_time |
principal.asset.attribute.creation_time |
cs2_second |
intermediary.ip,intermediary.asset.ip |
cu_detected_by |
additional.fields |
cu_detection_time |
additional.fields |
cu_log_count |
additional.fields |
cu_rule_category |
security_result.rule_name |
cu_rule_id |
security_result.rule_id |
current_value |
additional.fields |
d_name |
security_result.detection_fields |
data_type_name |
security_result.detection_fields |
date_value |
additional.fields |
datetime |
metadata.event_timestamp |
db_tag |
security_result.detection_fields |
db_ver |
additional.fields |
DCE_RPC_Interface_UID |
additional.fields |
dce-rpc_interface_uuid |
additional.fields |
dce-rpc_interface_uuid-1 |
additional.fields |
dce-rpc_interface_uuid-2 |
additional.fields |
dce-rpc_interface_uuid-3 |
additional.fields |
dedup_time |
additional.fields |
default_device_message |
additional.fields |
delivery_time |
additional.fields |
desc |
security_result.summary |
description |
security_result.detection_fields |
description_url |
additional.fields |
Destination |
additional.fields |
destination_dns_hostname |
target.hostname,target.asset.hostname |
destinationAddress |
target.ip,target.asset.ip |
destinationDnsDomain |
target.url |
destinationPort |
target.port |
destinationTranslatedAddress |
target.ip,target.asset.ip,target.nat_ip |
destinationTranslatedPort |
target.port,target.nat_port |
detected_by |
security_result.detection_fields |
device |
intermediary.ip,intermediary.asset.ip |
device_identification |
additional.fields |
device_message |
security_result.description |
device_name |
target.hostname,target.asset.hostname |
device_type |
target.resource.resource_subtype |
deviceCustomNumber2 |
additional.fields |
deviceCustomString2 |
security_result.rule_name |
deviceDirection |
network.direction |
devTime |
metadata.event_timestamp |
direction |
additional.fields |
discard_traffic_bps |
additional.fields |
discard_traffic_pps |
additional.fields |
dlp_data_type_name |
additional.fields |
dlp_relevant_data_types |
additional.fields |
dlp_rule_name |
additional.fields |
dlp_transport |
additional.fields |
dn |
additional.fields |
dns_domain_name |
target.hostname,target.asset.hostname |
dns_message_type |
security_result.detection_fields |
dns_query_type |
additional.fields |
dns_query.queries |
network.dns.questions.name |
dns_type |
additional.fields |
domain |
principal.administrative_domain |
domain_name |
principal.administrative_domain |
dpt |
target.port |
drop_reason |
security_result.summary |
dst |
target.ip,target.asset.ip |
dst_country |
target.location.country_or_region |
dst_domain_name |
target.hostname,target.asset.hostname |
dst_ip |
target.ip,target.asset.ip |
dst_machine_name |
target.user.email_addresses |
dst_phone_number |
target.user.phone_numbers |
dst_port |
target.port |
dst_uo_icon |
additional.fields |
dst_uo_name |
target.location.country_or_region |
dst_user_dn |
target.resource.attribute.labels |
dst_user_name |
target.user.user_display_name |
dstBytes |
additional.fields |
dstkeyid |
additional.fields |
dstPostNAT |
target.nat_ip |
dstPostNATPort |
target.nat_port |
duration |
network.session_duration.seconds |
during_sec |
additional.fields |
dvc |
target.ip,intermediary.ip |
elapsed |
additional.fields |
email_content |
security_result.description |
email_control |
additional.fields |
email_queue_id |
security_result.detection_fields |
email_queue_name |
security_result.detection_fields |
email_session_id |
additional.fields |
email_status |
security_result.detection_fields |
email_subject |
network.email.subject |
emailSubject |
network.email.subject |
emulated_on |
additional.fields |
encryption_fail_reason |
additional.fields |
encryption_failure |
security_result.description |
environment_id |
target.resource.product_object_id |
Errors |
security_result.description |
euid |
additional.fields |
event_kind |
additional.fields |
event_name |
metadata.description |
event_start_time |
additional.fields |
extraction_download_time |
additional.fields |
extraction_time |
additional.fields |
extraction_total_time |
additional.fields |
failure_impact |
additional.fields |
failure_reason |
additional.fields |
feature_name |
additional.fields |
fg-1_client_in_rule_name |
additional.fields |
fg-1_client_out_rule_name |
additional.fields |
fieldschanges |
security_result.detection_fields |
file_count |
additional.fields |
file_direction |
additional.fields |
file_md5 |
target.file.md5 |
file_name |
target.file.names |
file_sha1 |
target.file.sha1 |
file_sha256 |
target.file.sha256 |
file_size |
target.file.size |
file_status |
target.resource.attribute.labels |
file_type |
additional.fields |
Firewall management node |
security_result.detection_fields |
firstname |
principal.user.first_name |
flags |
additional.fields |
flexString2 |
security_result.detection_fields |
FollowUp |
security_result.detection_fields |
fragments_dropped |
additional.fields |
from |
network.email.from,additional.fields |
from_user |
principal.user.userid |
fservice |
security_result.detection_fields |
fw_message |
additional.fields |
fw_subproduct |
metadata.product_name |
gateway_to_server_ciphers |
additional.fields |
geoip_dst.country_name |
target.location.country_or_region |
h_version |
security_result.detection_fields |
has_accounting |
additional.fields |
header_ip_ |
intermediary.ip,intermediary.asset.ip |
hll_key |
additional.fields |
host |
target.hostname,target.asset.hostname |
hostname |
target.hostname,target.asset.hostname |
http_host |
target.ip,target.asset.ip (falls es sich um eine IP-Adresse handelt),target.hostname (falls es sich um einen Hostnamen handelt) |
http_server |
target.application |
http_status |
network.http.response_code |
https_inspection_action |
additional.fields |
https_inspection_rule_id |
security_result.detection_fields |
https_inspection_rule_name |
security_result.detection_fields |
https_validation |
security_result.detection_fields |
i_ip |
intermediary.ip,intermediary.asset.ip |
icmp |
additional.fields |
ICMP |
additional.fields |
icmp_code |
additional.fields |
ICMP_Code |
additional.fields |
icmp_type |
additional.fields |
ICMP_Type |
additional.fields |
id |
metadata.product_log_id |
identity_src |
target.application |
identity_type |
additional.fields,extensions.auth.type |
if_direction |
network.direction |
if_name |
additional.fields |
ifdir |
network.direction |
ifname |
security_result.detection_fields |
ike |
security_result.description |
ike_ids |
additional.fields |
Impact |
additional.fields |
indicator_name |
security_result.detection_fields |
indicator_uuid |
security_result.detection_fields |
industry_reference |
additional.fields |
Info |
security_result.description |
information |
metadata.description |
inspection_category |
additional.fields |
inspection_information |
additional.fields |
inspection_item |
additional.fields |
inspection_profile |
additional.fields |
install_policy_acceleration |
additional.fields |
instance_id |
principal.hostname,principal.asset.hostname |
instruction |
additional.fields |
inter_host |
intermediary.ip |
inter_host1 |
intermediary.hostname |
inter_hostname_ |
intermediary.hostname |
intermediary_application |
intermediary.application |
intermediary_hostname_ |
intermediary.ip,_intermediary.hostname |
intermediary_ip |
intermediary.ip |
inzone |
security_result.detection_fields |
ip_address |
target.resource.attribute.labels |
ip_address (abgeleitet von Paketen) |
principal.ip |
ip_address2 (abgeleitet von Paketen) |
principal.ip,principal.asset.ip |
ip_host |
intermediary.ip,intermediary.asset.ip (falls es sich um eine IP-Adresse handelt),intermediary.hostname (falls es sich um einen Hostnamen handelt) |
ip_id |
additional.fields |
ip_len |
additional.fields |
ip_offset |
additional.fields |
ipv6_dst |
target.ip,target.asset.ip |
ipv6_src |
principal.ip,principal.asset.ip |
is_correlated |
additional.fields |
is_last |
additional.fields |
last_hit_time |
security_result.last_discovered_time |
last_rematch_time |
additional.fields |
lastchg |
additional.fields |
lastname |
principal.user.last_name |
lastupdatetime |
security_result.last_updated_time |
layer_name |
security_result.rule_set_display_name,security_result.detection_fields |
layer_name_match_table |
additional.fields (Liste) |
layer_name_TP_match_table |
additional.fields (Liste) |
layer_names |
additional.fields.list |
layer_uuid |
security_result.rule_set,security_result.detection_fields |
layer_uuid_match_table |
additional.fields (Liste) |
layer_uuid_rule_uuid.0 |
security_result.rule_id |
layer_uuids |
additional.fields.list |
level |
security_result.detection_fields |
Level |
security_result.confidence_details |
local_value |
additional.fields |
localhost |
target.hostname,target.asset.hostname |
log_attachment_uid |
additional.fields |
log_delay |
additional.fields |
log_id |
metadata.product_log_id |
log_link |
additional.fields |
log_sys_message |
metadata.description |
log_uid |
additional.fields |
log_version |
metadata.product_version |
logic_changes |
security_result.detection_fields |
logicchanges.FollowUp |
security_result.detection_fields |
logicchanges.Protection |
security_result.detection_fields |
logicchanges.Srcs_srcs |
target.resource.product_object_id |
logid |
security_result.detection_fields |
loguid |
metadata.product_log_id |
mac_address |
principal.mac |
machine |
target.ip |
maestro_gw |
additional.fields |
malware |
security_result.detection_fields |
malware_action |
security_result.detection_fields |
malware_family |
security_result.detection_fields,security_result.about.resource.attribute.labels |
malware_rule_id |
security_result.detection_fields |
malware_rule_id_TP_match_table |
additional.fields (Liste) |
malware_rule_name |
security_result.detection_fields |
match_id |
additional.fields (Liste) |
match_id_match_table |
additional.fields (Liste) |
match_ids |
security_result.detection_fields |
matched_category |
security_result.detection_fields |
max_num_count_detected |
additional.fields |
max_vms_num |
additional.fields |
media_type |
additional.fields |
member_id |
additional.fields |
message_info |
metadata.description |
metadata.product_log_id_insertion_epoch_timestamp |
metadata.collected_timestamp |
method |
network.http.method |
methods |
additional.fields |
mgmt_value |
additional.fields |
mitre_collection |
additional.fields |
mitre_command_and_control |
additional.fields |
mitre_credential_access |
additional.fields |
mitre_defense_evasion |
additional.fields |
mitre_discovery |
additional.fields |
mitre_execution |
additional.fields |
mitre_exfiltration |
additional.fields |
mitre_impact |
additional.fields |
mitre_initial_access |
security_result.detection_fields |
mitre_lateral_movement |
additional.fields |
mitre_persistence |
additional.fields |
mitre_privilege_escalation |
additional.fields |
more_sources |
principal.ip |
msg |
security_result.description |
msgid |
additional.fields |
Name |
security_result.detection_fields,security_result.about.resource.attribute.labels |
nat_addtnl_rulenum |
additional.fields |
NAT_addtnl_rulenum |
security_result.detection_fields |
nat_rule_uid |
additional.fields |
nat_rulenum |
security_result.detection_fields |
NAT_rulenum |
security_result.detection_fields |
needs_browse_time |
additional.fields |
next_update_desc |
additional.fields |
num_of_updates |
additional.fields |
object |
target.ip |
objectname |
additional.fields |
objecttype |
security_result.detection_fields |
observable_comment |
security_result.detection_fields |
observable_id |
security_result.detection_fields |
observable_name |
security_result.detection_fields |
oid_prefix |
additional.fields |
operation |
additional.fields |
operation_number |
security_result.detection_fields |
operation_results |
additional.fields |
orig |
principal.hostname,principal.asset.hostname |
orig_log_server |
principal.resource.product_object_id |
orig_log_server_ip |
principal.ip,principal.asset.ip |
origin |
intermediary.ip,target.ip,target.asset.ip (wenn sowohl die Details der Haupt- als auch der Zielmaschine null sind). |
origin_repetitions |
additional.fields |
origin_sic_name |
intermediary.asset_id |
originsicname |
security_result.detection_fields |
os |
principal.platform |
os_name |
principal.asset.platform_software.platform |
os_version |
principal.asset.platform_software.platform_patch_level |
outzone |
security_result.detection_fields |
p_hostname |
principal.hostname |
p_ip |
principal.ip,principal.asset.ip |
p_userid |
principal.user.userid |
p_username |
principal.user.user_display_name |
package_action |
additional.fields |
packet_amount |
additional.fields |
packet_capture_name |
additional.fields |
packet_capture_time |
additional.fields |
packet_capture_unique_id |
additional.fields |
packets |
additional.fields |
parameter |
additional.fields |
parent_rule |
additional.fields (Liste) |
parent_rule_match_table |
additional.fields (Liste) |
parent_rules |
additional.fields.list |
password_field |
additional.fields |
path |
target.file.full_path |
peer_gateway |
target.ip,target.asset.ip |
performance_impact |
additional.fields |
performanceImpAction |
security_result.detection_fields |
pid |
principal.process.pid |
platform_patch_level |
principal.asset.platform_software.platform_patch_level |
policy |
additional.fields |
policy_name |
security_result.detection_fields |
policy_time |
security_result.detection_fields |
policyNames |
security_result.rule_set_display_name |
port |
additional.fields |
port (abgeleitet von Paketen) |
principal.port |
port2 (abgeleitet von Paketen) |
target.port |
portal_message |
security_result.description |
ppid |
principal.process.parent_pid |
precise_error |
security_result.detection_fields |
principal_hostname |
principal.ip und principal.asset.ip (wenn principal_hostname eine gültige IP-Adresse ist),principal.hostname,principal.asset.hostname und intermediary.hostname (alle anderen Fälle) |
principal_ip |
principal.ip,principal.asset.ip |
product |
metadata.product_name |
product_event_type |
metadata.product_event_type |
product_family |
additional.fields |
product_log_id |
metadata.product_log_id |
ProductFamily |
additional.fields |
profile |
security_result.detection_fields |
Protection |
security_result.detection_fields |
protection_id |
security_result.detection_fields |
protection_name |
security_result.detection_fields,security_result.about.resource.attribute.labels |
protection_type |
security_result.detection_fields,security_result.about.resource.attribute.labels |
proto |
additional.fields |
protocol |
network.application_protocol |
proxy |
security_resultc_ipprincipal.nat_ip |
query |
additional.fields |
question_rdata |
security_result.detection_fields |
reason |
security_result.summary |
received_bytes |
network.received_bytes |
Reference |
security_result.detection_fields,security_result.about.resource.attribute.labels |
registered_ip_phones |
additional.fields |
reject_category |
security_result.summary |
reject_id_kid |
security_result.detection_fields |
resource |
additional.fields.list_value |
resource_name |
target.resource.name |
resource1 |
target.url |
result |
security_result.summary |
roles |
additional.fields |
ROW_END |
additional.fields |
ROW_START |
additional.fields |
rt |
metadata.event_timestamp |
rule |
security_result.rule_name,security_result.detection_fields |
rule_action |
security_result.action,security_result.detection_fields |
rule_action_match_table |
additional.fields (Liste) |
rule_actions |
security_result.detection_fields |
rule_id |
security_result.rule_id |
rule_name |
security_result.rule_name |
rule_name_match_table |
additional.fields (Liste) |
rule_names |
additional.fields |
| `rule_uid" | security_result.rule_id |
rule_uid_match_table |
additional.fields (Liste) |
rule_uids |
security_result.detection_fields,additional.fields |
s_port |
additional.fields |
scheme |
additional.fields |
scope |
principal.ip (falls es sich um eine IP-Adresse handelt),additional.fields (falls es sich nicht um eine IP-Adresse handelt) |
scrub_activity |
additional.fields |
securexl_message |
additional.fields |
security_inzone |
security_result.detection_fields |
security_outzone |
security_result.detection_fields |
segment_time |
additional.fields |
sendtotrackerasadvancedauditlog |
security_result.detection_fields |
sensor_alert_blade |
additional.fields |
sensor_alert_category |
additional.fields |
sensor_alert_duration |
additional.fields |
sensor_alert_id |
additional.fields |
sensor_alert_message |
additional.fields |
sensor_alert_module |
additional.fields |
sensor_alert_solution |
additional.fields |
sensor_alert_solution_sk |
additional.fields |
sensor_alert_title |
additional.fields |
sensor_alert_type |
additional.fields |
sensor_test_name |
additional.fields |
sent_bytes |
network.sent_bytes |
sequencenum |
additional.fields |
ser_agent_kid |
security_result.detection_fields |
server_inbound_bytes |
network.sent_bytes |
server_inbound_interface |
additional.fields |
server_inbound_packets |
network.sent_bytes |
server_kid |
additional.fields |
server_outbound_bytes |
network.received_bytes |
server_outbound_interface |
target.resource.attribute.labels |
server_outbound_packets |
network.received_bytes |
service |
target.port |
service_id |
additional.fields |
session_description |
security_result.detection_fields |
session_id |
network.session_id |
session_name |
security_result.detection_fields |
session_uid |
network.session_id |
sev |
security_result.severity |
severity |
security_result.detection_fields |
Severity |
security_result.severity |
sig_id |
additional.fields |
signature |
security_result.threat_name |
site |
network.http.user_agent |
smartdefense_profile |
security_result.detection_fields |
smartdefense_profile_TP_match_table |
additional.fields (Liste) |
sni |
additional.fields |
snid |
network.session_id |
Source |
target.resource.attribute.labels |
source_os |
additional.fields |
sourceAddress |
principal.ip,principal.asset.ip |
sourcePort |
principal.port |
sourceTranslatedAddress |
principal.ip,principal.asset.ip,principal.nat_ip |
sourceTranslatedPort |
principal.port,principal.nat_port |
sourceUserName |
match => { "sourceUserName" => [ "%{DATA:firstname}( %{DATA:lastname})? \\\(%{DATA:userid}\\\)"]} |
special_attack |
additional.fields |
spt |
principal.port |
sr_url |
security_result.about.url |
src |
principal.ip,principal.hostname,principal.asset.ip,principal.asset.hostname |
src_domain_name |
principal.hostname,principal.asset.hostname |
src_ip |
principal.ip,principal.asset.ip |
src_localhost |
principal.hostname,principal.asset.hostname |
src_machine_group |
principal.resource.attribute.labels |
src_machine_name |
principal.user.email_addresses |
src_port |
principal.port |
src_uo_icon |
additional.fields |
src_uo_name |
principal.location.country_or_region |
src_user |
principal.user.userid |
src_user_dn |
principal.resource.attribute.labels |
src_user_group |
principal.resource.attribute.labels |
src_user_name |
principal.user.userid |
srcBytes |
additional.fields |
srcip |
additional.fields |
srcPort |
principal.port |
srcPostNAT |
principal.nat_ip |
srcPostNATPort |
principal.nat_port |
Srcs |
security_resultcstarget.resource.attribute.labels |
srv_ip |
target.ip |
ssh_connection_stage |
additional.fields |
sshd_function |
additional.fields |
start_time |
metadata.collected_timestamp |
status |
security_result.action_details,security_result.detection_fields,security_result.action |
stormagentaction |
additional.fields |
stormagentname |
additional.fields |
sub_policy_name |
security_result.detection_fields |
sub_policy_uid |
security_result.detection_fields |
subject |
metadata.description |
subscription_description |
additional.fields |
subscription_stat |
security_result.detection_fields |
subscription_stat_desc |
security_result.summary |
subscription_status |
security_result.detection_fields |
suppressed_logs |
security_result.detection_fields |
svc |
target.port |
sys_message |
additional.fields |
syslog_date |
additional.fields |
syslog_facility_code |
additional.fields |
syslog_pri |
additional.fields |
system_alert_message |
additional.fields |
system_application |
additional.fields |
tags |
security_result.detection_fields |
tar_user |
target.user.userid |
tar_userid |
target.user.userid |
tar_username |
target.user.user_display_name |
target_port |
target.port |
tcp_flags |
additional.fields |
tcp_packet_out_of_state |
security_result.detection_fields |
te_verdict_determined_by |
additional.fields |
temp_duser |
target.user.email_addresses |
tid |
security_result.detection_fields |
time |
metadata.event_timestamp |
time_interval |
additional.fields |
tls_server_host_name |
additional.fields |
to |
network.email.to,additional.fields |
TP_match_table |
additional.fields |
Track |
additional.fields |
two-factor_authentication |
security_result.detection_fields |
type |
security_result.rule_type |
uid |
additional.fields |
UP_match_table |
additional.fields |
update_count |
additional.fields |
update_service |
additional.fields |
update_status |
security_result.action,security_result.action_details |
url |
principal.url |
url_count |
additional.fields |
user |
principal.user.user_display_name |
user_agent |
network.http.user_agent,network.http.parsed_user_agent |
usercheck_interaction_name |
security_result.rule_name |
userid |
principal.user.userid |
userip |
principal.ip,principal.asset.ip |
UUid |
metadata.product_log_id |
validation_log |
additional.fields |
vendor_list |
security_result.detection_fields |
vendor_name |
metadata.vendor_name |
verdict |
security_result.verdict_info.verdict_response |
version |
metadata.product_version |
version_ |
additional.fields |
via |
additional.fields |
voip_call_dir |
additional.fields |
voip_call_id |
network.session_id |
voip_call_state |
additional.fields |
voip_duration |
additional.fields |
voip_log_type |
additional.fields |
voip_media_ipp |
additional.fields |
voip_media_port |
additional.fields |
voip_method |
additional.fields |
voip_reason_info |
additional.fields |
voip_reg_ip |
additional.fields |
voip_reg_ipp |
additional.fields |
voip_reg_period |
additional.fields |
voip_reg_port |
additional.fields |
voip_reg_server |
additional.fields |
voip_reject_reason |
additional.fields |
VPN |
additional.fields |
vpn_feature_name |
additional.fields |
watermark |
additional.fields |
web_client_type |
network.useragent |
web_client_type.0 |
network.http.user_agent,network.http.parsed_user_agent |
xlatedport |
target.nat_port |
xlatedst |
target.nat_ip |
xlatesport |
principal.nat_port |
xlatesrc |
principal.nat_ip |
Release-Deltas
Am 1. März 2026 hat Google SecOps eine neue Version des Check Point-Firewall-Parsers veröffentlicht, die erhebliche Änderungen bei der Zuordnung von Parser_Name-Logfeldern zu UDM-Feldern und Änderungen bei der Zuordnung von Ereignistypen enthält.
Delta der Zuordnung von Logfeldern
In der folgenden Tabelle ist das Zuordnungsdelta für Check Point-Firewallprotokoll-zu-UDM-Felder aufgeführt, die vor dem 1. März 2026 und danach verfügbar waren (in den Spalten Alte Zuordnung bzw. Aktuelle Zuordnung):
| Logfeld | Alte Zuordnung | Aktuelle Zuordnung |
|---|---|---|
client_inbound_bytes |
princiapal.resource.attribute_labels |
principal.network.received_bytes |
client_outbound_bytes |
princiapal.resource.attribute_labels |
principal.network.sent_bytes |
lastupdatetime |
additional.fields |
security_result.last_updated_time |
layer_names |
security_result.detection_fields |
additional.fields.list |
layer_uuids |
security_result.detection_fields, additional.fields |
additional.fields.list |
operation |
security_result.detection_fields |
additional.fields |
originsicname |
intermediary.labels |
security_resul.detection_fields |
parent_rules |
additional.fields |
additional.fields.list |
pid |
additional.fields |
principal.process.pid |
scope |
additional.fields |
principal.ip (falls es sich um eine IP-Adresse handelt),additional.fields (falls es sich nicht um eine IP-Adresse handelt) |
server_inbound_bytes |
target.resource.attribute.labels, network.sent_bytes |
network.sent_bytes |
server_inbound_packets |
target.resource.attribute.labels, network.sent_packets |
network.sent_packets |
server_outbound_bytes |
target.resource.attribute.labels, network.received_bytes |
network.received_bytes |
server_outbound_packets |
target.resource.attribute.labels, network.received_packets |
network.received_packets |
src_machine_name |
additional.fields |
principal.user.email_addresses |
src_user_dn |
sr.detection_fields |
principal.resource.attribute.labels |
suppressed_logs |
additional.fields |
security_result.detection_fields |
web_client_type |
additional.fields |
network.useragent |
Delta der Ereignistypzuordnung
Mehrere Ereignisse, die allgemein klassifiziert wurden, werden jetzt mit aussagekräftigen Ereignistypen richtig klassifiziert.
In der folgenden Tabelle ist die Änderung bei der Verarbeitung von Check Point-Firewall-Ereignistypen vor dem 1. März 2026 und danach aufgeführt (in den Spalten Old event_type und Current event_type).
| Format | Ereignis-ID aus dem Protokoll | Alter event_type | Aktueller event_type |
|---|---|---|---|
| SYSLOG+KV | Das Log enthält sourceAddress und host. |
GENERIC_EVENT |
NETWORK_CONNECTION |
| SYSLOG+JSON | Das Log enthält sourceAddress und host. |
NETWORK_HTTP |
NETWORK_CONNECTION |
| SYSLOG+JSON | Das Log enthält sourceAddress und host. |
NETWORK_HTTP |
NETWORK_CONNECTION |
Änderungsprotokoll
Änderungsprotokoll für diesen Parser ansehen
Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten