Incident response with Checkpoint


Incident response with Checkpoint

Zuerst die Frage im Original

I have one system of Qradar receiving log from checkpoint but I need to do further more about incident response. After Qradar create offense, can we send to checkpoint for build policy to block traffic.

Example, Qradar see brute force traffic from IP then create one offense. Qradar send this offense to Checkpoint to block any traffic from source IP Is this require any 3rd party software? Is it possible to apply this case on existing system?

Thanks in advance


RE: Incident response with Checkpoint

und hier meine Antwort

thx for your question. Yes you can! This is one of our boot camp samples for shunning using custom action script for sam rules inside checkpoint.
The only problem is, that you need to login to your firewall 1st, which can only be done outside QRadar script container.
The workaround for this problem is to store ip addresses inside a reference list and read the updated list using a 2nd script with REST API and beeing scheduled once per minute from outside the script container in order to workaround jail.
Pls refer to PDF attached


thank you

ach ja - und natürlich hat sich MAC bedankt :-)

Hi Karl,
Thanks for response and show me an example. It's very useful!

MAC starter