Check Point Threat Reputation

Integration version: 5.0

Use Cases

Threat Intel service.

Configure Check Point Threat Reputation integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the instance you intend to configure integration for.
Description String N/A No Description of the Instance.
API Root String rep.checkpoint.com Yes Specify the Check Point Reputation Service API root URl.
API Key Password N/A Yes Specify the Check Point Reputation Service API key.
Verify SSL Checkbox Unchecked No If enabled, verifies that the SSL certificate for the connection to the Check Point Reputation Service server is valid.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to the Check Point Reputation Service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Playbook Use Cases Examples

The action is used to test connectivity at the integration configuration page in the Google Security Operations Marketplace tab, and it can be executed as a manual action, not used in playbooks.

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Check Point Reputation Service with the provided connection parameters!"

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported:

"Failed to connect to the Check Point Reputation Service! Error is {0}".format(exception.stacktrace)

General

Get File Hash Reputation

Description

Enrich Google Security Operations SOAR File hash entity based on the information from the Check Point Reputation Service. Action accepts file hashes in md5, sha1, and sha256 formats.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threshold Integer 0 Yes Mark entity as suspicious if the returned risk value for the entity is above a given threshold.
Create Insight? Checkbox Unchecked No Specify whether the Google Security Operations SOAR Insight should be created based on the action result.

Playbook Use Cases Examples

Enrich the Google Security Operations SOAR filehash entity with information from Check Point Reputation Service: During the processing of a possible malware infection alert, the user can benefit from having enrichment data from Check Point Reputation Service about particular filehashes that are associated with alert in question for investigative reasons.

Run On

This action runs on the FILEHASH (md5/sha1/sha256) entity.

Action Results

Entity Enrichment

The action should use all values from the API response for entity enrichment except for the "status" node of response.

Insights
Insight Logic Type Title (String) Message
Create if the respective checkbox was checked. Entity Check Point Threat Reputation

Classification: value from API response

Confidence: value from API response

Severity: value from API response

Risk: value from API response

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result

Action should return JSON results compatible with the Expression Builder.

{
    "response": [
        {
            "status": {
                "code": 2001,
                "label": "SUCCESS",
                "message": "Succeeded to generate reputation"
            },
            "resource": "2c527d980eb30daa789492283f9bf69e",
            "reputation": {
                "classification": "Riskware",
                "severity": "Medium",
                "confidence": "High"
            },
            "risk": 50,
            "context": {
                "malware_family": "Mimikatz",
                "protection_name": "HackTool.Win32.Mimikatz.TC.lc",
                "malware_types": [
                    "Riskware"
                ],
                "metadata": {
                    "company_name": "gentilkiwi (Benjamin DELPY)",
                    "product_name": "mimikatz",
                    "copyright": "Copyright (c) 2007 - 2017 gentilkiwi (Benjamin DELPY)",
                    "original_name": "mimikatz.exe"
                }
            }
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities is enriched: "Successfully enriched entities: {0}".format([entity.Identifier]).

If failed to enrich all of the provided entities: "No entities were enriched."

If failed to find data in Check Point Reputation Service to enrich specific entities: "Action was not able to find Check Point Reputation Service info to enrich the following entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported:

"Failed to connect to the Check Point Reputation Service! Error is {0}".format(exception.stacktrace)

General
Table

Table name: Check Point Reputation Service results for {0}.format(entity.Identifier)

Table columns:

  • Classification
  • Confidence
  • Severity
  • Risk
  • Malware Family - context.malware_family
  • File Name - context.protection_name
  • Malware Type - context.malware_types (could be multiple comma separated values)
  • Company Name - metadata.company_name
  • Product Name - metadata.product_name
  • Copyright - metadata.copyright
  • Original File Name - metadata.original_name
Entity

Get IP Reputation

Description

Enrich Google Security Operations SOAR IP entity based on the information from the Check Point Reputation Service.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threshold Integer 0 Yes Mark entity as suspicious if the returned risk value for the entity is above a given threshold.
Create Insight? Checkbox Unchecked No Specify whether the Google Security Operations SOAR Insight should be created based on the action result.

Playbook Use Cases Examples

Enrich the Google Security Operations SOAR IP entity with information from Check Point Threat Reputation service: During the processing of a possible malware infection alert, the user can benefit from having enrichment data from the Check Point Threat Reputation service about particular ips that are associated with the alert in question for investigative reasons.

Run On

This action runs on the IP entity.

Action Results

Entity Enrichment

The action should use all values from the API response for entity enrichment except for the "status" node of response.

Insights
Insight Logic Type Title (String) Message
Create if the respective checkbox was checked. Entity Check Point Threat Reputation

Classification: value from API response

Confidence: value from API response

Severity: value from API response

Risk: value from API response

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result

Action should return JSON results compatible with the Expression Builder.

{
    "response": [
        {
            "status": {
                "code": 2001,
                "label": "SUCCESS",
                "message": "Succeeded to generate reputation"
            },
            "resource": "8.8.8.8",
            "reputation": {
                "classification": "Benign",
                "severity": "N/A",
                "confidence": "High"
            },
            "risk": 0,
            "context": {
                "location": {
                    "countryCode": "US",
                    "countryName": "United States",
                    "region": null,
                    "city": null,
                    "postalCode": null,
                    "latitude": 37.751007,
                    "longitude": -97.822,
                    "dma_code": 0,
                    "area_code": 0,
                    "metro_code": 0
                },
                "asn": 15169,
                "as_owner": "Google LLC"
            }
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities is enriched: "Successfully enriched entities: {0}".format([entity.Identifier]).

If failed to enrich all of the provided entities: "No entities were enriched."

If failed to find data in Check Point Reputation Service to enrich specific entities: "Action was not able to find Check Point Reputation Service info to enrich the following entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported:

print "Failed to connect to the Check Point Reputation Service! Error is {0}".format(exception.stacktrace)

General
Table

Table name: Check Point Threat Reputation results for {0}.format(entity.Identifier)

Table columns:

  • Classification
  • Confidence
  • Severity
  • Risk
  • Country Code - context.countryCode
  • Country - context.countryName
  • Region - context.region
  • City - context.city
  • Postal Code - context.postalCode
  • Latitude -context.latitude
  • Longitude - context.longitude
  • DMA Code - context.dma_code
  • Area Code -context.area_code
  • Metro Code -context.metro_code
  • ASN
  • Owner
Entity

Get Host Reputation

Description

Enrich the Google Security Operations SOAR Host entity based on the information from the Check Point Reputation Service.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threshold Integer 0 Yes Mark entity as suspicious if the returned risk value for the entity is above a given threshold.
Create Insight? Checkbox Unchecked No Specify whether the Google Security Operations SOAR Insight should be created based on the action result.

Playbook Use Cases Examples

Enrich the Google Security Operations SOAR host entity with information from Check Point Threat Reputation service: During the processing of a possible malware infection alert, the user can benefit from having enrichment data from Check Point Threat Reputation service about particular hosts that are associated with the alert in question for investigative reasons.

Run On

This action runs on the Hostname entity.

Action Results

Entity Enrichment

The action should use all values from the API response for entity enrichment except for the "status" node of response.

Insights
Insight Logic Type Title (String) Message
Create if the respective checkbox was checked. Entity Check Point Threat Reputation

Classification: value from API response

Confidence: value from API response

Severity: value from API response

Risk: value from API response

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result

Action should return JSON results compatible with the Expression Builder.

{
    "response": [
        {
            "status": {
                "code": 2001,
                "label": "SUCCESS",
                "message": "Succeeded to generate reputation"
            },
            "resource": "ynet.co.il",
            "reputation": {
                "classification": "Benign",
                "severity": "N/A",
                "confidence": "High"
            },
            "risk": 0,
            "context": {
                "categories": [
                    {
                        "id": 24,
                        "name": "News / Media"
                    }
                ],
                "indications": [
                    "The domain has good reputation",
                    "The domain is popular among websites with good reputation",
                    "The domain is popular in the world",
                    "The domain's Alexa rank is 1262",
                    "Check Point's URL Filtering category is News / Media",
                    "VirusTotal vendors detected benign URLs of the domain"
                ],
                "vt_positives": 0,
                "alexa_rank": 1262,
                "safe": true,
                "creation_date": "2001:01:07 00:00:00"
            }
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities is enriched: "Successfully enriched entities: {0}".format([entity.Identifier]).

If failed to enrich all of the provided entities: "No entities were enriched."

If failed to find data in Check Point Reputation Service to enrich specific entities: "Action was not able to find Check Point Reputation Service info to enrich the following entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported:

"Failed to connect to the Check Point Reputation Service! Error is {0}".format(exception.stacktrace)

General
Table

Table name: Check Point Threat Reputation results for {0}.format(entity.Identifier)

Table columns:

  • Classification
  • Confidence
  • Severity
  • Risk
  • Categories - context.categories
  • Indications - context.indications
  • Virus Total Positives Count
  • Alexa Rank
  • Safe?
  • Creation Date
Entity