Check Point

The IBM Security QRadar Check Point Custom Properties content extension adds new custom event properties for Check Point.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Check Point Content Extensions

IBM Security QRadar Check Point Content Extension V1.1.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Check Point Content Extension V1.1.0.

Table 1. New or updated Custom Properties in IBM Security QRadar Check Point Content Extension V1.1.0
Name Optimized Capture Group LEEF expression
Bytes No 1 bytes
BytesReceived Yes 1 dstBytes
BytesSent Yes 1 srcBytes
CVE ID Yes 1 cve
Destination Host Name Yes 1 dst_machine_name
Message No 1 attack_info
Policy Name Yes 1 policyName
Product Yes 1 product
Rule ID No 1 rule_uid

app_rule_id

Rule Name Yes 1 rule_name

app_rule_name

Source Host Name Yes 1 src_machine_name
Source OS No 1 source_os
URL Yes 1 url
Violation Signatures No 1 signature

IBM Security QRadar Check Point Content Extension V1.0.2

The Product custom property was assigned a new ID. Delete any existing Product custom properties before you upgrade to V1.0.2.

The following table shows the custom properties that were updated in IBM Security QRadar Check Point Content Extension V1.0.2.

Table 2. Changed Custom Properties in IBM Security QRadar Check Point Content Extension V1.0.2
Name Optimized Capture Group Regex
CVE ID Yes 1 Industry Reference:\s(\S+);
Policy Name Yes 1 policy_name=(\S+)];
Product Yes 1 product\s*:\s*(.*?);
Rule ID No 1 rule_uid:\s*\{([\w-]+)\}
Rule Name Yes 1 rule_name:\s*(\S+);
Source Host Name Yes 1 src_machine_name:\s(\S+);
Threat Family No 1 malware_family:\s*(.*?);

IBM Security QRadar Check Point Content Extension V1.0.1

The following table shows the custom properties that were updated in IBM Security QRadar Check Point Content Extension V1.0.1.

Table 3. Changed Custom Properties in IBM Security QRadar Check Point Content Extension V1.0.1
Name Optimized Capture Group Regex
URL Yes 1

Destination DNS Hostname\s*:\s*(\S+);:

resource:\s*(\S+);

IBM Security QRadar Check Point Content Extension V1.0.0

The following table shows the custom properties that were updated in IBM Security QRadar Check Point Content Extension V1.0.0.

Table 4. Changed Custom Properties in IBM Security QRadar Check Point Content Extension V1.0.0
Name Optimized Capture Group Regex
Product No 1 product\s*:\s*(.*);\s+src
Source OS No 1 Source OS\s*:\s*(\S+);
URL No 1

Destination DNS Hostname\s*:\s*(\S+);:

resource:\s*(\S+);