cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Technology Partner News: Automate Block Lists with ServiceNow Security Operations

ServiceNow.png

 

HOW IT WORKS

With ServiceNow® and Check Point, creating block lists and adding block list entries to a Check Point security gateway can be automated using the Check Point Custom Intelligence Feeds feature (sk132193). It allows fetching feeds from a third-party server directly, in this case the ServiceNow instance, to the Security Gateway to be enforced by Antivirus and Anti-Bot technologies.

To implement, block lists are configured through ServiceNow, and are hosted on a ServiceNow Platform instance. A Custom Intelligence Feed is configured on the Check Point security gateway which retrieves the IP addresses, URLs and domains from Now platform at a pre-configured interval. 

Once block lists are configured, users can set an approval process and workflow for adding entries to the block list based on gathered observables from security incidents in ServiceNow. Additionally, if there are observables obtained from other external sources which are determined malicious and are not associated with a specific ServiceNow security incident, block list entries can be manually entered into a block list entry form and tied to the observable for tracking and full audit trail.

ADMINISTRATION FLOW 

From ServiceNow Product Documentation - Working with Block Lists

  1. Create a block list for the Check Point NGTP integration

Create a Block List in your Now Platform instance. Once approved and activated, you can create entries for these Block List from observables determined to be malicious on Now Platform Security Incident Response (SIR) incidents and request approval to block them.

  1. Activate a block list for the Check Point NGTP integration

After the Block List has been created in your Now Platform and the URL is available, the Check Point administrator configures the Block List as Custom Intelligence Feed on all the Check Point Next Generation Gateways. Before it can accept Block List entries, the Block List must be configured in Check Point and activated in the Now Platform.

  1. Configure a block list as a Custom Intelligence Feed on the Check Point NGTP integration

# ioc_feeds add --feed_name phishing_url --transport https --resource https😕/<NOW-INSTSTANCE>.<feed-url> --user_name <now_chkp_api_user> --feed_action Prevent

ioc_feeds example use case


The firewall administrator must configure the Custom Intelligence Feed corresponding to the Block List created in NOW platform.

  1. Submit block list entries from a security incident for the Check Point NGTP integration

Observables attached to a security incident record are submitted for approval as Block List entries to different Block Lists. An optional approval process for Block List entries is part of the preconfigured workflow. The Gateway imports Block List entries — IP addresses, URLs, domains — that are included in Block Lists.

  1. Submit block list entries directly from the Block List Entry Table

For observables determined to be malicious, and not associated with a specific Now Platform security incident, you submit Block List entries from the block list.

  1. Approve block list entries for the Check Point NGTP integration

An approval process for Block List entries is part of the preconfigured workflow. You approve Block List entries before the entries are activated on Block Lists. After you approve the Block List entry, the gateway retrieves the entry, and your observable is blocked from that point forward.

  1. Block list entry exceptions for the Check Point NGTP integration

There are restrictions for adding Block List entries to Block Lists. If duplicate, compatibility, or CIDR (Classless Inter-Domain Routing) conflicts exist when you try to add Block List entries to Block Lists, error messages are displayed that help you resolve these errors.

  1. Edit the security tag name for the Check Point NGTP integration (optional)

If the Display tag check box is selected when you create the Block List record, you can edit the tag names and colors of the security tags. Security tags help you track observables that are already blocked.

 

SEE IT IN THE SERVICENOW STORE

Tags (2)
0 Kudos
1 Reply
Admin
Admin

Re: Technology Partner News: Automate Block Lists with ServiceNow Security Operations

Lots of people have been waiting for this for a while. Great to see it's live!
0 Kudos