Raccogliere i log del firewall Check Point
Supportato in:
Google SecOps
SIEM
Questo documento spiega come importare i log del firewall Check Point in Google Security Operations utilizzando l'agente Bindplane.
I firewall Check Point generano log per connessioni di rete, eventi di sicurezza, attività VPN, prevenzione delle minacce e operazioni amministrative. Il parser estrae i campi chiave-valore e CEF e li mappa al modello UDM (Unified Data Model).
Prima di iniziare
Assicurati di soddisfare i seguenti prerequisiti:
- Un'istanza Google SecOps
- Windows Server 2016 o versioni successive oppure host Linux con
systemd - Connettività di rete tra l'agente Bindplane e il firewall Check Point
- Se l'agente viene eseguito dietro un proxy, assicurati che le porte del firewall siano aperte in base ai requisiti dell'agente Bindplane
- Accesso privilegiato alla UI del firewall Check Point
Recuperare il file di autenticazione importazione di Google SecOps
- Accedi alla console Google SecOps.
- Vai a Impostazioni SIEM > Agenti di raccolta.
- Scarica il file di autenticazione importazione.
Salva il file in modo sicuro sul sistema in cui verrà installato l'agente Bindplane.
Recuperare l'ID cliente Google SecOps
- Accedi alla console Google SecOps.
- Vai a Impostazioni SIEM > Profilo.
Copia e salva l'ID cliente dalla sezione Dettagli dell'organizzazione.
Installa l'agente Bindplane
Installa l'agente Bindplane sul sistema operativo Windows o Linux seguendo le istruzioni riportate di seguito.
Installazione di Windows
- Apri Prompt dei comandi o PowerShell come amministratore.
Esegui questo comando:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quietAttendi il completamento dell'installazione.
Verifica l'installazione eseguendo:
sc query observiq-otel-collectorIl servizio dovrebbe essere visualizzato come IN ESECUZIONE.
Installazione di Linux
- Apri un terminale con privilegi root o sudo.
Esegui questo comando:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.shAttendi il completamento dell'installazione.
Verifica l'installazione eseguendo:
sudo systemctl status observiq-otel-collectorIl servizio dovrebbe essere visualizzato come attivo (in esecuzione).
Risorse aggiuntive per l'installazione
Per ulteriori opzioni di installazione e risoluzione dei problemi, consulta la Guida all'installazione dell'agente Bindplane.
Configura l'agente Bindplane per importare syslog e inviarli a Google SecOps
Individua il file di configurazione
Linux:
sudo nano /etc/bindplane-agent/config.yamlWindows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Modifica il file di configurazione
Sostituisci l'intero contenuto di
config.yamlcon la seguente configurazione:receivers: udplog: listen_address: "0.0.0.0:514" exporters: chronicle/checkpoint_firewall: compression: gzip creds_file_path: '/etc/bindplane-agent/ingestion-auth.json' customer_id: '<customer_id>' endpoint: malachiteingestion-pa.googleapis.com log_type: CHECKPOINT_FIREWALL raw_log_field: body service: pipelines: logs/checkpoint_firewall_to_chronicle: receivers: - udplog exporters: - chronicle/checkpoint_firewall
Parametri di configurazione
Sostituisci i seguenti segnaposto:
Configurazione del ricevitore:
listen_address: Indirizzo IP e porta da ascoltare:0.0.0.0per ascoltare su tutte le interfacce (consigliato)- La porta
514è la porta syslog standard (richiede l'accesso root su Linux; utilizza1514per l'accesso non root)
Configurazione dell'esportatore:
creds_file_path: percorso completo del file di autenticazione importazione:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
customer_id: ID cliente copiato dalla console Google SecOpsendpoint: URL endpoint regionale:- Stati Uniti:
malachiteingestion-pa.googleapis.com - Europa:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - Per un elenco completo, vedi Endpoint regionali.
- Stati Uniti:
Salvare il file di configurazione
- Dopo la modifica, salva il file:
- Linux: premi
Ctrl+O, poiEntere infineCtrl+X. - Windows: fai clic su File > Salva.
- Linux: premi
Riavvia l'agente Bindplane per applicare le modifiche
Per riavviare l'agente Bindplane in Linux, esegui questo comando:
sudo systemctl restart observiq-otel-collectorVerifica che il servizio sia in esecuzione:
```bash sudo systemctl status observiq-otel-collector ```Controlla i log per individuare eventuali errori:
```bash sudo journalctl -u observiq-otel-collector -f ```
Per riavviare l'agente Bindplane in Windows, scegli una delle seguenti opzioni:
Prompt dei comandi o PowerShell come amministratore:
net stop observiq-otel-collector && net start observiq-otel-collectorConsole Services:
- Premi
Win+R, digitaservices.msce premi Invio. - Individua observIQ OpenTelemetry Collector.
- Fai clic con il tasto destro del mouse e seleziona Riavvia.
Verifica che il servizio sia in esecuzione:
sc query observiq-otel-collectorControlla i log per individuare eventuali errori:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- Premi
Configura l'esportazione di syslog in un firewall Check Point
- Accedi all'interfaccia utente del firewall Check Point utilizzando un account con privilegi.
- Vai a Log e monitoraggio > Server di log.
- Vai a Server Syslog.
- Fai clic su Configura e imposta i seguenti valori:
- Protocollo: seleziona UDP per inviare log di sicurezza e/o di sistema.
- Name (Nome): fornisci un nome univoco (ad esempio,
Bindplane_Server). - Indirizzo IP: fornisci l'indirizzo IP del server syslog (IP Bindplane).
- Porta: fornisci la porta del server syslog (porta Bindplane).
- Seleziona Attiva server di log.
- Seleziona i log da inoltrare: Log di sistema e di sicurezza.
- Fai clic su Applica.
Tabella di mappatura UDM
| Campo log | Mappatura UDM |
|---|---|
@timestamp |
metadata.event_timestamp |
__id |
additional.fields |
__nsons |
additional.fields |
__p_dport |
additional.fields |
__pos |
additional.fields |
_action |
security_result.action_id |
access_method |
metadata.product_event_type |
acks_total |
additional.fields |
act |
security_result.action_details |
Action |
additional.fields |
action_details |
additional.fields |
action_reason |
security_result.detection_fields |
Activity |
security_result.summary |
additional_info |
security_result.description,security_result.detection_fields |
administrator |
target.user.userid |
aggregated_log_count |
security_result.detection_fields |
alert |
security_result.detection_fields |
answer_rdata |
additional.fields |
app |
principal.application |
app_activity |
security_result.description |
app_category |
security_result.category_details |
app_desc |
additional.fields |
app_id |
additional.fields |
app_properties |
additional.fields,security_result.detection_fields |
app_risk |
security_result.detection_fields |
app_session_id |
network.session_id |
app_sig_id |
additional.fields |
appcategory |
additional.fields |
appi_name |
security_result.detection_fields |
application |
principal.application |
application_version |
additional.fields |
arrival_time |
additional.fields |
attachment_link |
additional.fields |
attachments_num |
additional.fields |
attack |
security_result.threat_name |
attack_info |
security_result.description |
attack_status |
additional.fields |
attack_traffic_bps |
additional.fields |
attackStatus |
security_result.detection_fields |
audit_status |
additional.fields |
auth_method |
additional.fields |
auth_status |
security_result.summary |
authentication_trial |
additional.fields |
authority_rdata |
principal.resource.attribute.labels |
authorization |
security_result.detection_fields |
bandwidth |
security_result.detection_fields |
best_practice_id |
security_result.detection_fields |
blade_name |
security_result.detection_fields |
browse_time |
additional.fields |
browser |
network.http.user_agent |
bytes |
additional.fields |
c_bytes |
additional.fields |
calc_desc |
security_result.description |
calc_service |
additional.fields |
cat |
security_result.detection_fields |
category |
security_result.category_details |
cb_bp_blade |
additional.fields |
cb_rate |
additional.fields |
cb_recommendation |
additional.fields |
cb_relevantobjectname |
additional.fields |
cb_relevantobjectstatus |
additional.fields |
cb_scan_id |
security_result.detection_fields |
cb_status |
additional.fields |
certificate_validity |
additional.fields |
client_inbound_bytes |
principal.network.received_bytes |
client_inbound_interface |
additional.fields |
client_inbound_packets |
principal.network.received_packets |
client_ip |
principal.ip,principal.asset.ip |
client_name |
security_result.detection_fields |
client_outbound_bytes |
principal.network.sent_bytes |
client_outbound_interface |
additional.fields |
client_outbound_packets |
principal.network.sent_packets |
client_to_gateway_ciphers |
additional.fields |
client_type_os |
principal.platform |
client_version.0 |
intermediary.platform_version |
cloud_hourly_quota |
additional.fields |
cloud_hourly_quota_exceeded |
additional.fields |
cloud_hourly_quota_usage_for_quota_id |
additional.fields |
cloud_hourly_quota_usage_for_this_gw |
additional.fields |
cloud_hourly_remaining_quota |
additional.fields |
cloud_last_quota_update_gmt_time |
additional.fields |
cloud_monthly_quota |
additional.fields |
cloud_monthly_quota_exceeded |
additional.fields |
cloud_monthly_quota_period_end |
additional.fields |
cloud_monthly_quota_period_start |
additional.fields |
cloud_monthly_quota_usage_for_quota_id |
additional.fields |
cloud_monthly_quota_usage_for_this_gw |
additional.fields |
cloud_quota_description |
additional.fields |
cloud_quota_identifier |
additional.fields |
cloud_quota_status |
additional.fields |
cloud_remaining_quota |
additional.fields |
cluster_info |
additional.fields |
cn2 |
additional.fields |
cn3 |
additional.fields |
comment |
security_result.description |
community |
additional.fields |
condition |
additional.fields |
confidence_level |
security_result.confidence |
conn_direction |
network.direction,additional.fields |
connection_count |
security_result.detection_fields |
connection_luuid |
additional.fields |
connection_uid |
additional.fields |
consent_flag_status |
additional.fields |
consent_flag_value |
additional.fields |
content_disposition |
target.file.names |
content_length |
target.file.size |
content_risk |
additional.fields |
content_type |
target.file.mime_type |
context_num |
additional.fields |
contextnum |
additional.fields |
contract_name |
security_result.detection_fields |
control_log_type |
additional.fields |
controller |
additional.fields |
cookiei |
additional.fields |
cookier |
additional.fields |
cp_component_name |
additional.fields |
cp_component_version |
additional.fields |
creation_time |
principal.asset.attribute.creation_time |
cs2_second |
intermediary.ip,intermediary.asset.ip |
cu_detected_by |
additional.fields |
cu_detection_time |
additional.fields |
cu_log_count |
additional.fields |
cu_rule_category |
security_result.rule_name |
cu_rule_id |
security_result.rule_id |
current_value |
additional.fields |
d_name |
security_result.detection_fields |
data_type_name |
security_result.detection_fields |
date_value |
additional.fields |
datetime |
metadata.event_timestamp |
db_tag |
security_result.detection_fields |
db_ver |
additional.fields |
DCE_RPC_Interface_UID |
additional.fields |
dce-rpc_interface_uuid |
additional.fields |
dce-rpc_interface_uuid-1 |
additional.fields |
dce-rpc_interface_uuid-2 |
additional.fields |
dce-rpc_interface_uuid-3 |
additional.fields |
dedup_time |
additional.fields |
default_device_message |
additional.fields |
delivery_time |
additional.fields |
desc |
security_result.summary |
description |
security_result.detection_fields |
description_url |
additional.fields |
Destination |
additional.fields |
destination_dns_hostname |
target.hostname,target.asset.hostname |
destinationAddress |
target.ip,target.asset.ip |
destinationDnsDomain |
target.url |
destinationPort |
target.port |
destinationTranslatedAddress |
target.ip,target.asset.ip,target.nat_ip |
destinationTranslatedPort |
target.port,target.nat_port |
detected_by |
security_result.detection_fields |
device |
intermediary.ip,intermediary.asset.ip |
device_identification |
additional.fields |
device_message |
security_result.description |
device_name |
target.hostname,target.asset.hostname |
device_type |
target.resource.resource_subtype |
deviceCustomNumber2 |
additional.fields |
deviceCustomString2 |
security_result.rule_name |
deviceDirection |
network.direction |
devTime |
metadata.event_timestamp |
direction |
additional.fields |
discard_traffic_bps |
additional.fields |
discard_traffic_pps |
additional.fields |
dlp_data_type_name |
additional.fields |
dlp_relevant_data_types |
additional.fields |
dlp_rule_name |
additional.fields |
dlp_transport |
additional.fields |
dn |
additional.fields |
dns_domain_name |
target.hostname,target.asset.hostname |
dns_message_type |
security_result.detection_fields |
dns_query_type |
additional.fields |
dns_query.queries |
network.dns.questions.name |
dns_type |
additional.fields |
domain |
principal.administrative_domain |
domain_name |
principal.administrative_domain |
dpt |
target.port |
drop_reason |
security_result.summary |
dst |
target.ip,target.asset.ip |
dst_country |
target.location.country_or_region |
dst_domain_name |
target.hostname,target.asset.hostname |
dst_ip |
target.ip,target.asset.ip |
dst_machine_name |
target.user.email_addresses |
dst_phone_number |
target.user.phone_numbers |
dst_port |
target.port |
dst_uo_icon |
additional.fields |
dst_uo_name |
target.location.country_or_region |
dst_user_dn |
target.resource.attribute.labels |
dst_user_name |
target.user.user_display_name |
dstBytes |
additional.fields |
dstkeyid |
additional.fields |
dstPostNAT |
target.nat_ip |
dstPostNATPort |
target.nat_port |
duration |
network.session_duration.seconds |
during_sec |
additional.fields |
dvc |
target.ip,intermediary.ip |
elapsed |
additional.fields |
email_content |
security_result.description |
email_control |
additional.fields |
email_queue_id |
security_result.detection_fields |
email_queue_name |
security_result.detection_fields |
email_session_id |
additional.fields |
email_status |
security_result.detection_fields |
email_subject |
network.email.subject |
emailSubject |
network.email.subject |
emulated_on |
additional.fields |
encryption_fail_reason |
additional.fields |
encryption_failure |
security_result.description |
environment_id |
target.resource.product_object_id |
Errors |
security_result.description |
euid |
additional.fields |
event_kind |
additional.fields |
event_name |
metadata.description |
event_start_time |
additional.fields |
extraction_download_time |
additional.fields |
extraction_time |
additional.fields |
extraction_total_time |
additional.fields |
failure_impact |
additional.fields |
failure_reason |
additional.fields |
feature_name |
additional.fields |
fg-1_client_in_rule_name |
additional.fields |
fg-1_client_out_rule_name |
additional.fields |
fieldschanges |
security_result.detection_fields |
file_count |
additional.fields |
file_direction |
additional.fields |
file_md5 |
target.file.md5 |
file_name |
target.file.names |
file_sha1 |
target.file.sha1 |
file_sha256 |
target.file.sha256 |
file_size |
target.file.size |
file_status |
target.resource.attribute.labels |
file_type |
additional.fields |
Firewall management node |
security_result.detection_fields |
firstname |
principal.user.first_name |
flags |
additional.fields |
flexString2 |
security_result.detection_fields |
FollowUp |
security_result.detection_fields |
fragments_dropped |
additional.fields |
from |
network.email.from,additional.fields |
from_user |
principal.user.userid |
fservice |
security_result.detection_fields |
fw_message |
additional.fields |
fw_subproduct |
metadata.product_name |
gateway_to_server_ciphers |
additional.fields |
geoip_dst.country_name |
target.location.country_or_region |
h_version |
security_result.detection_fields |
has_accounting |
additional.fields |
header_ip_ |
intermediary.ip,intermediary.asset.ip |
hll_key |
additional.fields |
host |
target.hostname,target.asset.hostname |
hostname |
target.hostname,target.asset.hostname |
http_host |
target.ip,target.asset.ip (se è un indirizzo IP),target.hostname (se è un nome host) |
http_server |
target.application |
http_status |
network.http.response_code |
https_inspection_action |
additional.fields |
https_inspection_rule_id |
security_result.detection_fields |
https_inspection_rule_name |
security_result.detection_fields |
https_validation |
security_result.detection_fields |
i_ip |
intermediary.ip,intermediary.asset.ip |
icmp |
additional.fields |
ICMP |
additional.fields |
icmp_code |
additional.fields |
ICMP_Code |
additional.fields |
icmp_type |
additional.fields |
ICMP_Type |
additional.fields |
id |
metadata.product_log_id |
identity_src |
target.application |
identity_type |
additional.fields,extensions.auth.type |
if_direction |
network.direction |
if_name |
additional.fields |
ifdir |
network.direction |
ifname |
security_result.detection_fields |
ike |
security_result.description |
ike_ids |
additional.fields |
Impact |
additional.fields |
indicator_name |
security_result.detection_fields |
indicator_uuid |
security_result.detection_fields |
industry_reference |
additional.fields |
Info |
security_result.description |
information |
metadata.description |
inspection_category |
additional.fields |
inspection_information |
additional.fields |
inspection_item |
additional.fields |
inspection_profile |
additional.fields |
install_policy_acceleration |
additional.fields |
instance_id |
principal.hostname,principal.asset.hostname |
instruction |
additional.fields |
inter_host |
intermediary.ip |
inter_host1 |
intermediary.hostname |
inter_hostname_ |
intermediary.hostname |
intermediary_application |
intermediary.application |
intermediary_hostname_ |
intermediary.ip,_intermediary.hostname |
intermediary_ip |
intermediary.ip |
inzone |
security_result.detection_fields |
ip_address |
target.resource.attribute.labels |
ip_address (derivato dai pacchetti) |
principal.ip |
ip_address2 (derivato dai pacchetti) |
principal.ip,principal.asset.ip |
ip_host |
intermediary.ip,intermediary.asset.ip (se è un indirizzo IP),intermediary.hostname (se è un nome host) |
ip_id |
additional.fields |
ip_len |
additional.fields |
ip_offset |
additional.fields |
ipv6_dst |
target.ip,target.asset.ip |
ipv6_src |
principal.ip,principal.asset.ip |
is_correlated |
additional.fields |
is_last |
additional.fields |
last_hit_time |
security_result.last_discovered_time |
last_rematch_time |
additional.fields |
lastchg |
additional.fields |
lastname |
principal.user.last_name |
lastupdatetime |
security_result.last_updated_time |
layer_name |
security_result.rule_set_display_name,security_result.detection_fields |
layer_name_match_table |
additional.fields (elenco) |
layer_name_TP_match_table |
additional.fields (elenco) |
layer_names |
additional.fields.list |
layer_uuid |
security_result.rule_set,security_result.detection_fields |
layer_uuid_match_table |
additional.fields (elenco) |
layer_uuid_rule_uuid.0 |
security_result.rule_id |
layer_uuids |
additional.fields.list |
level |
security_result.detection_fields |
Level |
security_result.confidence_details |
local_value |
additional.fields |
localhost |
target.hostname,target.asset.hostname |
log_attachment_uid |
additional.fields |
log_delay |
additional.fields |
log_id |
metadata.product_log_id |
log_link |
additional.fields |
log_sys_message |
metadata.description |
log_uid |
additional.fields |
log_version |
metadata.product_version |
logic_changes |
security_result.detection_fields |
logicchanges.FollowUp |
security_result.detection_fields |
logicchanges.Protection |
security_result.detection_fields |
logicchanges.Srcs_srcs |
target.resource.product_object_id |
logid |
security_result.detection_fields |
loguid |
metadata.product_log_id |
mac_address |
principal.mac |
machine |
target.ip |
maestro_gw |
additional.fields |
malware |
security_result.detection_fields |
malware_action |
security_result.detection_fields |
malware_family |
security_result.detection_fields,security_result.about.resource.attribute.labels |
malware_rule_id |
security_result.detection_fields |
malware_rule_id_TP_match_table |
additional.fields (elenco) |
malware_rule_name |
security_result.detection_fields |
match_id |
additional.fields (elenco) |
match_id_match_table |
additional.fields (elenco) |
match_ids |
security_result.detection_fields |
matched_category |
security_result.detection_fields |
max_num_count_detected |
additional.fields |
max_vms_num |
additional.fields |
media_type |
additional.fields |
member_id |
additional.fields |
message_info |
metadata.description |
metadata.product_log_id_insertion_epoch_timestamp |
metadata.collected_timestamp |
method |
network.http.method |
methods |
additional.fields |
mgmt_value |
additional.fields |
mitre_collection |
additional.fields |
mitre_command_and_control |
additional.fields |
mitre_credential_access |
additional.fields |
mitre_defense_evasion |
additional.fields |
mitre_discovery |
additional.fields |
mitre_execution |
additional.fields |
mitre_exfiltration |
additional.fields |
mitre_impact |
additional.fields |
mitre_initial_access |
security_result.detection_fields |
mitre_lateral_movement |
additional.fields |
mitre_persistence |
additional.fields |
mitre_privilege_escalation |
additional.fields |
more_sources |
principal.ip |
msg |
security_result.description |
msgid |
additional.fields |
Name |
security_result.detection_fields,security_result.about.resource.attribute.labels |
nat_addtnl_rulenum |
additional.fields |
NAT_addtnl_rulenum |
security_result.detection_fields |
nat_rule_uid |
additional.fields |
nat_rulenum |
security_result.detection_fields |
NAT_rulenum |
security_result.detection_fields |
needs_browse_time |
additional.fields |
next_update_desc |
additional.fields |
num_of_updates |
additional.fields |
object |
target.ip |
objectname |
additional.fields |
objecttype |
security_result.detection_fields |
observable_comment |
security_result.detection_fields |
observable_id |
security_result.detection_fields |
observable_name |
security_result.detection_fields |
oid_prefix |
additional.fields |
operation |
additional.fields |
operation_number |
security_result.detection_fields |
operation_results |
additional.fields |
orig |
principal.hostname,principal.asset.hostname |
orig_log_server |
principal.resource.product_object_id |
orig_log_server_ip |
principal.ip,principal.asset.ip |
origin |
intermediary.ip,target.ip,target.asset.ip (quando i dettagli della macchina principale e di destinazione sono nulli). |
origin_repetitions |
additional.fields |
origin_sic_name |
intermediary.asset_id |
originsicname |
security_result.detection_fields |
os |
principal.platform |
os_name |
principal.asset.platform_software.platform |
os_version |
principal.asset.platform_software.platform_patch_level |
outzone |
security_result.detection_fields |
p_hostname |
principal.hostname |
p_ip |
principal.ip,principal.asset.ip |
p_userid |
principal.user.userid |
p_username |
principal.user.user_display_name |
package_action |
additional.fields |
packet_amount |
additional.fields |
packet_capture_name |
additional.fields |
packet_capture_time |
additional.fields |
packet_capture_unique_id |
additional.fields |
packets |
additional.fields |
parameter |
additional.fields |
parent_rule |
additional.fields (elenco) |
parent_rule_match_table |
additional.fields (elenco) |
parent_rules |
additional.fields.list |
password_field |
additional.fields |
path |
target.file.full_path |
peer_gateway |
target.ip,target.asset.ip |
performance_impact |
additional.fields |
performanceImpAction |
security_result.detection_fields |
pid |
principal.process.pid |
platform_patch_level |
principal.asset.platform_software.platform_patch_level |
policy |
additional.fields |
policy_name |
security_result.detection_fields |
policy_time |
security_result.detection_fields |
policyNames |
security_result.rule_set_display_name |
port |
additional.fields |
port (derivato dai pacchetti) |
principal.port |
port2 (derivato dai pacchetti) |
target.port |
portal_message |
security_result.description |
ppid |
principal.process.parent_pid |
precise_error |
security_result.detection_fields |
principal_hostname |
principal.ip e principal.asset.ip (quando principal_hostname è un IP valido),principal.hostname,principal.asset.hostname e intermediary.hostname (tutti gli altri casi) |
principal_ip |
principal.ip,principal.asset.ip |
product |
metadata.product_name |
product_event_type |
metadata.product_event_type |
product_family |
additional.fields |
product_log_id |
metadata.product_log_id |
ProductFamily |
additional.fields |
profile |
security_result.detection_fields |
Protection |
security_result.detection_fields |
protection_id |
security_result.detection_fields |
protection_name |
security_result.detection_fields,security_result.about.resource.attribute.labels |
protection_type |
security_result.detection_fields,security_result.about.resource.attribute.labels |
proto |
additional.fields |
protocol |
network.application_protocol |
proxy |
security_resultc_ipprincipal.nat_ip |
query |
additional.fields |
question_rdata |
security_result.detection_fields |
reason |
security_result.summary |
received_bytes |
network.received_bytes |
Reference |
security_result.detection_fields,security_result.about.resource.attribute.labels |
registered_ip_phones |
additional.fields |
reject_category |
security_result.summary |
reject_id_kid |
security_result.detection_fields |
resource |
additional.fields.list_value |
resource_name |
target.resource.name |
resource1 |
target.url |
result |
security_result.summary |
roles |
additional.fields |
ROW_END |
additional.fields |
ROW_START |
additional.fields |
rt |
metadata.event_timestamp |
rule |
security_result.rule_name,security_result.detection_fields |
rule_action |
security_result.action,security_result.detection_fields |
rule_action_match_table |
additional.fields (elenco) |
rule_actions |
security_result.detection_fields |
rule_id |
security_result.rule_id |
rule_name |
security_result.rule_name |
rule_name_match_table |
additional.fields (elenco) |
rule_names |
additional.fields |
| `rule_uid" | security_result.rule_id |
rule_uid_match_table |
additional.fields (elenco) |
rule_uids |
security_result.detection_fields,additional.fields |
s_port |
additional.fields |
scheme |
additional.fields |
scope |
principal.ip (se è un indirizzo IP),additional.fields (se non è un indirizzo IP) |
scrub_activity |
additional.fields |
securexl_message |
additional.fields |
security_inzone |
security_result.detection_fields |
security_outzone |
security_result.detection_fields |
segment_time |
additional.fields |
sendtotrackerasadvancedauditlog |
security_result.detection_fields |
sensor_alert_blade |
additional.fields |
sensor_alert_category |
additional.fields |
sensor_alert_duration |
additional.fields |
sensor_alert_id |
additional.fields |
sensor_alert_message |
additional.fields |
sensor_alert_module |
additional.fields |
sensor_alert_solution |
additional.fields |
sensor_alert_solution_sk |
additional.fields |
sensor_alert_title |
additional.fields |
sensor_alert_type |
additional.fields |
sensor_test_name |
additional.fields |
sent_bytes |
network.sent_bytes |
sequencenum |
additional.fields |
ser_agent_kid |
security_result.detection_fields |
server_inbound_bytes |
network.sent_bytes |
server_inbound_interface |
additional.fields |
server_inbound_packets |
network.sent_bytes |
server_kid |
additional.fields |
server_outbound_bytes |
network.received_bytes |
server_outbound_interface |
target.resource.attribute.labels |
server_outbound_packets |
network.received_bytes |
service |
target.port |
service_id |
additional.fields |
session_description |
security_result.detection_fields |
session_id |
network.session_id |
session_name |
security_result.detection_fields |
session_uid |
network.session_id |
sev |
security_result.severity |
severity |
security_result.detection_fields |
Severity |
security_result.severity |
sig_id |
additional.fields |
signature |
security_result.threat_name |
site |
network.http.user_agent |
smartdefense_profile |
security_result.detection_fields |
smartdefense_profile_TP_match_table |
additional.fields (elenco) |
sni |
additional.fields |
snid |
network.session_id |
Source |
target.resource.attribute.labels |
source_os |
additional.fields |
sourceAddress |
principal.ip,principal.asset.ip |
sourcePort |
principal.port |
sourceTranslatedAddress |
principal.ip,principal.asset.ip,principal.nat_ip |
sourceTranslatedPort |
principal.port,principal.nat_port |
sourceUserName |
match => { "sourceUserName" => [ "%{DATA:firstname}( %{DATA:lastname})? \\\(%{DATA:userid}\\\)"]} |
special_attack |
additional.fields |
spt |
principal.port |
sr_url |
security_result.about.url |
src |
principal.ip,principal.hostname,principal.asset.ip,principal.asset.hostname |
src_domain_name |
principal.hostname,principal.asset.hostname |
src_ip |
principal.ip,principal.asset.ip |
src_localhost |
principal.hostname,principal.asset.hostname |
src_machine_group |
principal.resource.attribute.labels |
src_machine_name |
principal.user.email_addresses |
src_port |
principal.port |
src_uo_icon |
additional.fields |
src_uo_name |
principal.location.country_or_region |
src_user |
principal.user.userid |
src_user_dn |
principal.resource.attribute.labels |
src_user_group |
principal.resource.attribute.labels |
src_user_name |
principal.user.userid |
srcBytes |
additional.fields |
srcip |
additional.fields |
srcPort |
principal.port |
srcPostNAT |
principal.nat_ip |
srcPostNATPort |
principal.nat_port |
Srcs |
security_resultcstarget.resource.attribute.labels |
srv_ip |
target.ip |
ssh_connection_stage |
additional.fields |
sshd_function |
additional.fields |
start_time |
metadata.collected_timestamp |
status |
security_result.action_details,security_result.detection_fields,security_result.action |
stormagentaction |
additional.fields |
stormagentname |
additional.fields |
sub_policy_name |
security_result.detection_fields |
sub_policy_uid |
security_result.detection_fields |
subject |
metadata.description |
subscription_description |
additional.fields |
subscription_stat |
security_result.detection_fields |
subscription_stat_desc |
security_result.summary |
subscription_status |
security_result.detection_fields |
suppressed_logs |
security_result.detection_fields |
svc |
target.port |
sys_message |
additional.fields |
syslog_date |
additional.fields |
syslog_facility_code |
additional.fields |
syslog_pri |
additional.fields |
system_alert_message |
additional.fields |
system_application |
additional.fields |
tags |
security_result.detection_fields |
tar_user |
target.user.userid |
tar_userid |
target.user.userid |
tar_username |
target.user.user_display_name |
target_port |
target.port |
tcp_flags |
additional.fields |
tcp_packet_out_of_state |
security_result.detection_fields |
te_verdict_determined_by |
additional.fields |
temp_duser |
target.user.email_addresses |
tid |
security_result.detection_fields |
time |
metadata.event_timestamp |
time_interval |
additional.fields |
tls_server_host_name |
additional.fields |
to |
network.email.to,additional.fields |
TP_match_table |
additional.fields |
Track |
additional.fields |
two-factor_authentication |
security_result.detection_fields |
type |
security_result.rule_type |
uid |
additional.fields |
UP_match_table |
additional.fields |
update_count |
additional.fields |
update_service |
additional.fields |
update_status |
security_result.action,security_result.action_details |
url |
principal.url |
url_count |
additional.fields |
user |
principal.user.user_display_name |
user_agent |
network.http.user_agent,network.http.parsed_user_agent |
usercheck_interaction_name |
security_result.rule_name |
userid |
principal.user.userid |
userip |
principal.ip,principal.asset.ip |
UUid |
metadata.product_log_id |
validation_log |
additional.fields |
vendor_list |
security_result.detection_fields |
vendor_name |
metadata.vendor_name |
verdict |
security_result.verdict_info.verdict_response |
version |
metadata.product_version |
version_ |
additional.fields |
via |
additional.fields |
voip_call_dir |
additional.fields |
voip_call_id |
network.session_id |
voip_call_state |
additional.fields |
voip_duration |
additional.fields |
voip_log_type |
additional.fields |
voip_media_ipp |
additional.fields |
voip_media_port |
additional.fields |
voip_method |
additional.fields |
voip_reason_info |
additional.fields |
voip_reg_ip |
additional.fields |
voip_reg_ipp |
additional.fields |
voip_reg_period |
additional.fields |
voip_reg_port |
additional.fields |
voip_reg_server |
additional.fields |
voip_reject_reason |
additional.fields |
VPN |
additional.fields |
vpn_feature_name |
additional.fields |
watermark |
additional.fields |
web_client_type |
network.useragent |
web_client_type.0 |
network.http.user_agent,network.http.parsed_user_agent |
xlatedport |
target.nat_port |
xlatedst |
target.nat_ip |
xlatesport |
principal.nat_port |
xlatesrc |
principal.nat_ip |
Delta delle release
Il 1° marzo 2026, Google SecOps ha rilasciato una nuova versione del parser del firewall Check Point, che include modifiche significative al mapping dei campi di log Parser_Name ai campi UDM e modifiche al mapping dei tipi di eventi.
Differenza tra le mappature dei campi dei log
La tabella seguente elenca il delta di mappatura per i campi dei log del firewall Check Point in UDM esposti prima del 1° marzo 2026 e successivamente (elencati rispettivamente nelle colonne Mappatura precedente e Mappatura attuale):
| Campo log | Mappatura precedente | Mappatura attuale |
|---|---|---|
client_inbound_bytes |
princiapal.resource.attribute_labels |
principal.network.received_bytes |
client_outbound_bytes |
princiapal.resource.attribute_labels |
principal.network.sent_bytes |
lastupdatetime |
additional.fields |
security_result.last_updated_time |
layer_names |
security_result.detection_fields |
additional.fields.list |
layer_uuids |
security_result.detection_fields, additional.fields |
additional.fields.list |
operation |
security_result.detection_fields |
additional.fields |
originsicname |
intermediary.labels |
security_resul.detection_fields |
parent_rules |
additional.fields |
additional.fields.list |
pid |
additional.fields |
principal.process.pid |
scope |
additional.fields |
principal.ip (se è un indirizzo IP),additional.fields (se non è un indirizzo IP) |
server_inbound_bytes |
target.resource.attribute.labels, network.sent_bytes |
network.sent_bytes |
server_inbound_packets |
target.resource.attribute.labels, network.sent_packets |
network.sent_packets |
server_outbound_bytes |
target.resource.attribute.labels, network.received_bytes |
network.received_bytes |
server_outbound_packets |
target.resource.attribute.labels, network.received_packets |
network.received_packets |
src_machine_name |
additional.fields |
principal.user.email_addresses |
src_user_dn |
sr.detection_fields |
principal.resource.attribute.labels |
suppressed_logs |
additional.fields |
security_result.detection_fields |
web_client_type |
additional.fields |
network.useragent |
Differenza tra le mappature dei tipi di eventi
Più eventi classificati in modo generico ora sono classificati correttamente con tipi di eventi significativi.
La tabella seguente elenca il delta per la gestione dei tipi di eventi firewall Check Point prima del 1° marzo 2026 e successivamente (elencati rispettivamente nelle colonne Old event_type e Current event_type):
| Formato | ID evento dal log | Old event_type | Current event_type |
|---|---|---|---|
| SYSLOG+KV | Il log contiene sourceAddress e host |
GENERIC_EVENT |
NETWORK_CONNECTION |
| SYSLOG+JSON | Il log contiene sourceAddress e host |
NETWORK_HTTP |
NETWORK_CONNECTION |
| SYSLOG+JSON | Il log contiene sourceAddress e host |
NETWORK_HTTP |
NETWORK_CONNECTION |
Hai bisogno di ulteriore assistenza? Ricevi risposte dai membri della community e dai professionisti di Google SecOps.