https://community.checkpoint.com/t5/Firewall-and-Security-Management/Utility-to-prevent-IP-activity-by-SIEM-command-using-SAM-rules/m-p/101248#M10162 <P>Hi All,</P><P>I made an utility to integrate CheckPoint Firewall with SIEM ArcSight to provide fast block of malicious activity without Policy Installation.</P><P><SPAN><STRONG>Automatic Remediation Tool</STRONG> allows SIEM ArcSight to send a SAM Command (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112061" target="_blank" rel="noopener">sk112061</A>) CheckPoint Firewall to block attacker IP address in case of detected attack, based on SIEM logs or correlated events.</SPAN></P><P><SPAN>If some device (IDS\IPS\WAF…), connected to SIEM, detects an attack from IP address or C&amp;C communication, you can create ArcSight rule to provide automatic reaction: block Attacker IP as source and destination of IPv4 traffic on your CheckPoint Firewall.<BR /><BR /></SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="NewDiagram.jpg" style="width: 502px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8790i62C86F2B8CCD9ABF/image-size/large?v=v2&amp;px=999" role="button" title="NewDiagram.jpg" alt="NewDiagram.jpg" /></span></SPAN></P><P><SPAN>Automatic Remediation Tool will receive IP address from SIEM, and send command to Firewall.&nbsp;</SPAN></P><P><SPAN>Utility should be placed on separate server from SIEM and CheckPoint SMS. It connects to CheckPoint SMS using SSH and use SmartConnector to communicate with SIEM.</SPAN></P><P><SPAN>Utility includes easy configuration script and logging in Common Event Format.</SPAN></P><P><SPAN>You can find more information on <A href="https://marketplace.microfocus.com/arcsight/content/automatic-ip-remediation-checkpoint" target="_blank" rel="noopener">Micro Focus ArcSight Marketplace</A> or contact with me on CheckMates or privately&nbsp;<A href="mailto:autoremediation@gmail.com" target="_blank">autoremediation@gmail.com</A></SPAN></P><P><SPAN>You can also watch <A href="https://youtu.be/LHco8ubJINk" target="_self">demonstration video</A>.</SPAN></P><P>Hope you will enjoy it.</P> Thu, 05 Nov 2020 19:41:42 GMT Yevhen_B 2020-11-05T19:41:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Utility-to-prevent-IP-activity-by-SIEM-command-using-SAM-rules/m-p/101248#M10162 <P>Hi All,</P><P>I made an utility to integrate CheckPoint Firewall with SIEM ArcSight to provide fast block of malicious activity without Policy Installation.</P><P><SPAN><STRONG>Automatic Remediation Tool</STRONG> allows SIEM ArcSight to send a SAM Command (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112061" target="_blank" rel="noopener">sk112061</A>) CheckPoint Firewall to block attacker IP address in case of detected attack, based on SIEM logs or correlated events.</SPAN></P><P><SPAN>If some device (IDS\IPS\WAF…), connected to SIEM, detects an attack from IP address or C&amp;C communication, you can create ArcSight rule to provide automatic reaction: block Attacker IP as source and destination of IPv4 traffic on your CheckPoint Firewall.<BR /><BR /></SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="NewDiagram.jpg" style="width: 502px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8790i62C86F2B8CCD9ABF/image-size/large?v=v2&amp;px=999" role="button" title="NewDiagram.jpg" alt="NewDiagram.jpg" /></span></SPAN></P><P><SPAN>Automatic Remediation Tool will receive IP address from SIEM, and send command to Firewall.&nbsp;</SPAN></P><P><SPAN>Utility should be placed on separate server from SIEM and CheckPoint SMS. It connects to CheckPoint SMS using SSH and use SmartConnector to communicate with SIEM.</SPAN></P><P><SPAN>Utility includes easy configuration script and logging in Common Event Format.</SPAN></P><P><SPAN>You can find more information on <A href="https://marketplace.microfocus.com/arcsight/content/automatic-ip-remediation-checkpoint" target="_blank" rel="noopener">Micro Focus ArcSight Marketplace</A> or contact with me on CheckMates or privately&nbsp;<A href="mailto:autoremediation@gmail.com" target="_blank">autoremediation@gmail.com</A></SPAN></P><P><SPAN>You can also watch <A href="https://youtu.be/LHco8ubJINk" target="_self">demonstration video</A>.</SPAN></P><P>Hope you will enjoy it.</P> Thu, 05 Nov 2020 19:41:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Utility-to-prevent-IP-activity-by-SIEM-command-using-SAM-rules/m-p/101248#M10162 Yevhen_B 2020-11-05T19:41:42Z