Network_Traffic Traffic_By_Action isn't showing allowed or deferred.
In the data model, here is the constraints:
(`cim_Network_Traffic_indexes`) tag=network tag=communicate
action=*
The CIM setup for Network Traffic includes the indexes: check_point network lb
There is an eventtype for check_point that has the search
index=check_point action=*
and it has the tags: communicate & network
When I search index=check_point action=* | dedup action | table action
, I get the following:
action
allowed
blocked
deferred
dropped
But when I search |tstats count from datamodel=Network_Traffic by All_Traffic.action
I only get:
All_Traffic.action count
blocked 88
deferred 126
dropped 118
Does anyone have any idea as to why the actions allowed or deferred aren't showing up?
I've checked the macro cim_traffic_actions
& it has action
allowed
blocked
teardown
You may want to ensure that the tags.conf for checkpoint also is pointing to that eventtype you mention (check_point) for:
tag=network tag=communicate. As an example tags.conf:
[eventtype=check_point]
network = enabled
communicate = enabled
A quick litmus test would be to just run a search with something like:
"tag=network OR tag=communicate | stats values(action) by sourcetype"
In local/tags.conf both are enabled:
[eventtype=check_point_action]
communicate = enabled
network = enabled
Checked splunk cmd to confirm the tags are being used & they are:
Splunk_TA_checkpoint-opseclea]$ splunk cmd btool tags list --debug | grep 'Splunk_TA_checkpoint-opseclea' | egrep 'communicate|network' | sort | uniq
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf communicate = enabled
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf [eventtype=opsec_communicate]
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf network = enabled
Here is the output for tag=network OR tag=communicate action=* | stats values(action) by sourcetype
:
sourcetype values(action)
linux_secure success
opendns:dnslogs
Allowed
Blocked
Proxied
opsec:anti_malware
blocked
deferred
opsec:anti_virus deferred
opsec:smartdefense
blocked
deferred
opsec:threat_emulation deferred
opsec:vpn
blocked
dropped
It's a bit hard to make out based on the formatting, but it looks to me like whatever sources or sourcetypes that are in in the eventtype search "opsec_communicate" is what's missing here...that said it looks like your local overrides for check_point_action eventtype should work, but in any case, if you can get tag=network or tag=communicate to actually return results for action=allowed, that will fix the DM problem.
Ya, formatting is terrible, I can't upload a picture...
Here is another crack at it with the action values below the sourcetype:
sourcetype values(action)
linux_secure
success
opendns:dnslogs
Allowed
Blocked
Proxied
opsec:anti_malware
blocked
deferred
opsec:anti_virus
deferred
opsec:smartdefense
blocked
deferred
opsec:threat_emulation
deferred
opsec:vpn
blocked
dropped
what values do you see for 'action' when you run |from datamodel:"Network_Traffic | stats count by action
? Also, on your TA, check if there is any props/transforms for actions. Also, generally, if its possible to avoid using index= in eventtypes.conf, its better [ as you are restricting the indexes for a datamodel via CIM config]
For |from datamodel:"Network_Traffic" | stats count by action
here are the results:
action count
blocked 82
deferred 270
dropped 108
The TA is Splunk_TA_checkpoint-opseclea, no local transform & for props there is only this that deals with action:
FIELDALIAS-protocol_for_opsec = proto AS protocol
FIELDALIAS-opsec_action = te_action AS action vendor_action AS action
For default/props.conf here is everything with action:
Splunk_TA_checkpoint-opseclea]$ grep 'action' default/props.conf
REPORT-checkpoint_action_for_checkpoint = action_as_checkpoint_action
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
FIELDALIAS-vendor_action = action as vendor_action
LOOKUP-action_for_opsec = checkpoint_opsec_action_lookup vendor_action OUTPUT action
REPORT-action_as_ips_action = action_as_threat_emulation_action
LOOKUP-action_for_av = te_action_lookup te_action OUTPUT action
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
REPORT-opsec_vendor_action_field = opsec_vendor_action_field
FIELDALIAS-vendor_action = action as vendor_action
LOOKUP-action_for_opsec = checkpoint_opsec_action_lookup vendor_action OUTPUT action
REPORT-checkpoint_action_for_checkpoint = vendor_action_for_opsec
EVAL-look_up_key = case((Subject="File Operation"),"filesystem",(Operation="Create Object" OR Operation="Modify Object" OR Operation="Delete Object"),Operation,(Operation="Log In" OR Operation="Log Out" OR Operation="Force Log Out"),if(isnull(status),"Success",status),1==1,action)
LOOKUP-checkpoint_audit_action_lookup = checkpoint_audit_action_lookup look_up_key OUTPUT action,app
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
FIELDALIAS-category_for_threat_emulation = malware_action as category
LOOKUP-action_for_te = te_action_lookup te_action OUTPUT action
REPORT-action_as_anti_bot_action = action_as_threat_emulation_action
LOOKUP-action_for_te = te_action_lookup te_action OUTPUT action
REPORT-action_as_anti_virus_action = action_as_threat_emulation_action
LOOKUP-action_for_av = te_action_lookup te_action OUTPUT action
I believe the TA is overriding the action and missing the 'allowed. You can comment out FIELDALIAS-opsec_action = te_action AS action vendor_action AS action any any other related ones and see which one is causing the issue.