I have a use case where i need to collect logs from firewall ( checkpoint ) so ,i did that but now the thing is i want to enable detection rules(as we are running dummy attacks ) for firewall (like we can do wo for windows or linux ) but their is no option & even if i search it gives me rules for fortint
i want genric firewall rules or if not possible rules releated to checkpoint
i also tried the git but it have same rules no sorting for firewall
even if we search firewall in the rules it gives me around 14-15 rules and sme of which are windows firewall,fortinit ,GPC
3.tried to use elastic defend that is also not working
last thing i can do is maybe use automigration to migrate rules from splunk (ut for that also i should have the ai in place)
so if anybody have any workarounds please help !! and also if their is not other way also lemme know so i start working on migration only.
@jatin3101 thanks for reaching out! Firewall rules fall under our network rules which can be found here: detection-rules/rules/network at main · elastic/detection-rules · GitHub . We are in the process of standardizing the tags for the different rules, e.g. is this applicable to network which could include network sensors vs a firewall or both, some network is also specific to endpoints, etc. so using tags may lead to some nuanced results currently that are unclear.
For the Check Point firewall, we do not have specific rules for this firewall; however, there are a number of ecs fields (source.ip, source.port etc.) that are applicable to more generic rules.
For the data ingestion from Check Point are you using our Check Point Integration or shipping the logs in through a different way?
Also, for when you were using Elastic Defend, did you also use the Network Packet Capture Integration? Many of our network rules require using this integration with Elastic Defend in order to parse the network protocols. This integration does not require installing anything additional on the host, it is generally a configuration of Defend.
We may find that the rules simply are not looking at firewall specific indices, and if this is the case, we can make a quick update to the rules that should resolve the issue.
I just wanted to add that although generic rules are definitely fine in most use cases, it's often also required to have vendor product specific rules. In the case of Check Point Firewall for example, there are interesting alerts with a nice description in the field checkpoint.attack
Only relaying on the builtin generic rule is often not sufficient imho.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.