Check Point SandBlast

Integration version: 5.0

Configure Check Point SandBlast integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
API Root String https://<service_address>/tecloud/ api/<version>/file Yes Specify the Check Point SandBlast Api root URl.
API Key Password N/A Yes Specify the Check Point SandBlast API key.
Verify SSL Checkbox Checked No If enabled, verifies that the SSL certificate for the connection to the Check Point SandBlast server is valid.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to the Check Point SandBlast with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Use Cases

Test connectivity to the target system with parameters configured for Integration from the Google Security Operations SOAR server.

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Check Point SandBlast server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the SandBlast server! Error is {}".format(e)

General

Query

Description

Get threat reputation information about FILEHASH entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threshold String 0 Yes Mark entity as suspicious if severity is equal or above the given threshold.

Run On

This action runs on the Filehash entity.

Action Results

Entity Enrichment

Entities are marked as suspicious if:

  1. Threat Emulation combined verdict equals malicious.
  2. AV severity is greater than or equal to threshold (in the JSON: av.malware_info.severity).
Enrichment Field Name Logic
SandBlast_av_block Returns if it exists in JSON
SandBlast_av_signature_name Returns if it exists in JSON
SandBlast_av_severity Returns if it exists in JSON
SandBlast_av_confidence Returns if it exists in JSON
SandBlast_te_combined_verdict Returns if it exists in JSON
SandBlast_te_severity Returns if it exists in JSON
SandBlast_te_confidence Returns if it exists in JSON
Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "Entity": "8a2f57269b2f47b4e8f2e122e424754b",
        "EntityResult": {
        "status": {
            "code": 1006,
            "label": "PARTIALLY_FOUND",
            "message": "The request cannot be fully answered at this time."
        },
        "md5": "8a2f57269b2f47b4e8f2e122e424754b",
        "file_type": "",
        "file_name": "untitled.doc",
        "features": ["te", "av"],
        "te": {
            "trust": 0,
            "images": [{
                "report": {
                    "verdict": "unknown"
                },
                "status": "not_found",
                "id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
                "revision": 1
            }, {
                "report": {
                    "verdict": "unknown"
                },
                "status": "not_found",
                "id": "5e5de275-a103-4f67-b55b-47532918fa59",
                "revision": 1
            }],
            "score": -2147483648,
            "status": {
                "code": 1004, "label": "NOT_FOUND",
                "message": "Could not find the requested file. Please upload it."
            }},
        "av": {
            "malware_info": {
                "signature_name": "",
                "malware_family": 0,
                "malware_type": 0,
                "severity": 0,
                "confidence": 0
            },
            "status": {
                "code": 1001,
                "label": "FOUND",
                "message": "The request has been fully answered."
            }
        }
    }
}
]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully found info the following entities:..."

If partially successful: "Partial information was found for the following entities:..."

If not found entities: "No information was found for the following entities:..."

If failed to find entities: "Failed to fetch information for the following entities:..."

If not successful: "No entities were enriched."

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported:

"An error occurred while running action. Error: {}".format(e)

General

Upload File

Description

Upload files for analysis.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
file path String N/A Yes path to the file to be uploaded
file name String N/A Yes Display Name of the uploaded file
Enable Threat Emulation feature Checkbox Checked No If enabled, threat emulation feature will be enabled for the upload. By default, if no features are selected, threat emulation will be used.
Enable AntiVirus feature Checkbox Unchecked No If enabled, antivirus feature will be enabled for the upload. By default, if no features are selected, threat emulation will be used.
Enable Threat Extraction feature Checkbox Unchecked No If enabled, threat extraction feature will be enabled for the upload. By default, if no features are selected, threat emulation will be used.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "Entity": "/tmp/test.txt",
        "EntityResult": {
            "status": {
                "code": 1002,
                "label": "UPLOAD_SUCCESS",
                "message": "The file was uploaded successfully."
            },
            "sha1": "6caf005c3183d9b5b8dfa5b60f24eb1ebbfab876",
            "md5": "c12c504bbe0f7be6ca87d4933c43fac1",
            "sha256": "e757f729d149e047705ad6adfbcdd28b0ad28899385712ee0a58261bcb03ac36",
            "file_type": "",
            "file_name": "2020092414.log",
            "features": ["te"],
            "te": {
                "trust": 0,
                "images": [{
                    "report": {
                        "verdict": "unknown"
                    },
                    "status": "not_found",
                    "id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
                    "revision": 1
                }, {
                    "report": {
                        "verdict": "unknown"
                    },
                    "status": "not_found",
                    "id": "5e5de275-a103-4f67-b55b-47532918fa59",
                    "revision": 1
                }],
                "score": -2147483648,
                "status": {
                    "code": 1002,
                    "label": "UPLOAD_SUCCESS",
                    "message": "The file was uploaded successfully."
                }
            }
        }
    }
]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully uploaded the following files: {}".format(".join([file_path for file_path in successful_paths])

Else: "No files were uploaded."

If failed: "An error occurred on the following files: {}Please check logs for more information.".format(".join([file_path for file_path in failed_paths])"

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported:

"An error occurred while running action. Error: {}".format(e)

General