Incident response with Checkpoint
von Karl Jaeger
Incident response with Checkpoint
Zuerst die Frage im Original
Hi
I have one system of Qradar receiving log from checkpoint but I need to do further more about incident response. After Qradar create offense, can we send to checkpoint for build policy to block traffic.
Example, Qradar see brute force traffic from IP 192.168.1.1 then create one offense. Qradar send this offense to Checkpoint to block any traffic from source IP 192.168.1.1. Is this require any 3rd party software? Is it possible to apply this case on existing system?
Thanks in advance
------------------------------
MACs
------------------------------
RE: Incident response with Checkpoint
und hier meine Antwort
thx for your question. Yes you can! This is one of our boot camp samples for shunning using custom action script for sam rules inside checkpoint.
The only problem is, that you need to login to your firewall 1st, which can only be done outside QRadar script container.
The workaround for this problem is to store ip addresses inside a reference list and read the updated list using a 2nd script with REST API and beeing scheduled once per minute from outside the script container in order to workaround jail.
Pls refer to PDF attached
thank you
ach ja - und natürlich hat sich MAC bedankt :-)
Hi Karl,
Thanks for response and show me an example. It's very useful!
------------------------------
MAC starter
------------------------------