Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Check Point administrators rejoice, Splunk Add-on for OPSEC LEA 2.1.0 has been released! The free update provides useful improvements to almost every aspect of the add-on.
User Interface
The old OPSEC interface has been completely overhauled and streamlined. The interface is no longer stuck in the past and should look right at home on your Splunk 6 search heads.
The manage connections page now offers a much more powerful overview of your Check Point connections. As you can see on the screenshot, every connection has a set of metrics available. These differ based upon the connection type. An audit connection displays the timestamp of the last event collected. A normal connection displays throughput over the last 24 hours and the last 15 minutes. Simply clicking on a table row will display these metrics. These searches also employ accelerated data models, so they’re quite fast. We hope these metrics will save you from constantly running searches for more information about your connections.
There are additional improvements for larger Check Point deployments. Have a hundred connections? That’s unfortunate, but connection name filtering is here to help! A quick search in the filter bar can whittle down the number of connections. Pagination helps keep the list of connections readable, only displaying twenty connections at a time. Finally, most of the columns can be sorted. This is particularly helpful when you need to group your connections by connection type.
With the old add-on, it was very time consuming to create a connection to a dedicated log server. As you may know, Check Point log servers don’t have a certificate authority. Dealing with this required an ugly workaround to pull the certificate from the MDS. We’re very happy to say that the new workflow fixes this problem! With the new version, the MDS can be specified directly in the pull cert workflow. Pulling a cert will also no longer lock your browser with a synchronous AJAX request!
Performance
Connections now support online (realtime) mode. This helps decrease latency, since events are pulled as soon as possible. The add-on typically waits 30 seconds between trips to the Check Point server. However, note that completely saturated connections will probably not gain much performance. Try experimenting with this feature to see if it will actually improve performance for your connections.
The new version is available at http://apps.splunk.com/app/1454/ and is completely free! I would like to thank Caleb, Alex, Cary and Roussi and the rest of the team for all the hard work they put into this new release. Happy Splunking!
----------------------------------------------------
Thanks!
Ian Link
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.