Initializing rule counting for Check Point
When trust is established and the policies are updated, you can view rule counting in IBM QRadar. Complete the final configurations in QRadar and Check Point to tie the configurations together so that you can use rule counting in QRadar.
Before you begin
To increase the rule count, the following prerequisites must be considered:
- Make sure that custom event property for an existing Policy Name is created for Check Point log source. LEEF Key or RegEx must be configured depending on the extraction. Event category must be the same as your event payload falls into. For example: Firewall Permit, Firewall Deny.
- Make sure that your event payload contains the cep file configured at the
first point to get parsed and extracted. Note: The extracted value must match with your topology Ids for increasing the rule event count.
- To optimize the performance, rule event count is updated once event queue reach configurable size. In the current case, it is 1000.
About this task
QRadar Risk Manager needs approximately 1 hour to process counts.