Check Point CloudGuard

Integration version: 5.0

Use Cases

Ingest Check Point CloudGuard alerts and use them to create Google Security Operations SOAR alerts. Next, in Google Security Operations SOAR, alerts can be used to perform orchestrations with playbooks or manual analysis.

Product Permission

Basic Authentication with API Key ID and API Key Secret.

Configure Check Point CloudGuard integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
API Key ID String N/A Yes API Key ID of the Check Point CloudGuard account.
API Key Secret Password N/A Yes API Key Secret of the Check Point CloudGuard account.
Verify SSL Checkbox Unchecked Yes If enabled, verifies that the SSL certificate for the connection to the CloudGuard server is valid.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to Check Point CloudGuard with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful:
print "Successfully connected to the Check Point CloudGuard server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful:

print "Failed to connect to the Check Point CloudGuard server! Error is {0}".format(exception.stacktrace)

General

Connectors

Check Point CloudGuard - Alerts Connector

Description

Pull alerts from Check Point CloudGuard.

Configure Check Point CloudGuard - Alerts Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String alertType Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Int 180 Yes Timeout limit for the python process running the current script.
API Key ID String N/A Yes API Key ID of the Check Point CloudGuard account.
API Key Secret Password N/A Yes API Key Secret of the Check Point CloudGuard account.
Lowest Severity To Fetch String Medium Yes

Lowest severity that will be used to fetch alerts.

Possible values:

Low

Medium

High

Fetch Max Hours Backwards Integer 1 No Amount of hours from where to fetch alerts.
Max Alerts To Fetch Integer 50 No How many alerts to process per one connector iteration.
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Unchecked Yes If enabled, verify the SSL certificate for the connection to the Anomali Staxx server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports Proxy.