Configuring QRadar to receive LEEF events from Check Point

By default, Check Point LEEF events are mapped to the legacy OPSEC LEA event-mapping schema. If you want to change the way that IBM® QRadar® maps events, you can use the DSM Editor to disable legacy event mapping.


  1. Click the Admin tab.
  2. In the Data Sources section, click DSM Editor.
  3. From the Select Log Source Type window, select Check Point from the list, and click Select.
  4. On the Configuration tab, set Display DSM Parameters Configuration to on.
  5. From the Event Collector list, select the event collector for the log source.
  6. Set Disable legacy event mapping to on.
  7. Set Enable SmartDefense Signature Event IDs to on.
    The value in the signature field is used as the event ID for SmartDefense. By default, events for Check Point SmartDefense use the value in the attack field for parsing.
  8. Click Save and close out the DSM Editor.