cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee+
Employee+

Cyber Attack View formal release for R80.10 & R80.20

Hey,

Few months ago, we started to work the new dashboard for Threat Prevention Investigation methods.

You can find the first post in here: https://community.checkpoint.com/community/management/visibility-monitoring/blog/2018/04/04/threat-p... 

I am happy to announce that we formally released the version for R80.10 & R80.20 under the following SK - sk134634

This dashboard is allowing you to locate the cyber threat you need to address to based on attack vector and in a very fast way. our EA customers were able to locate threats on/in their network in a very fast way and without the need to query on their logs as the first action. 

we improved the queries also based on the community inputs and we are looking for more improvements and inputs from the community.  if you have any inputs related to the dashboard please contact me directly - Orenkor@checkpoint.com

Thanks,

Oren

examples for all of the pages in the dashboard.

  • Main pageMain page - Cyber Attack View
  • Infected Hosts

Infected Hosts - Cyber Attack View

  • Reconnaissance action on your network

Reconnaissance - Cyber Attack View

  • Different delivery methods

Malicious File Download - Cyber Attack View

Malicious Emails - Cyber Attack View

  • Host exploit

Host Exploit - Cyber Attack View

  • Malicious Websites

Malicious WebSites- Cyber Attack View

10 Replies

Re: Cyber Attack View formal release for R80.10 & R80.20

Hello. You did great job!

I have one suggestion. It will be really cool if you add one more widget - The Map of Attackers. Something like this^

It will help to create a Geo Pollicy.

0 Kudos
Employee+
Employee+

Re: Cyber Attack View formal release for R80.10 & R80.20

created basic one - something like that?

what should be the order and data that needed to be presented from you POV?

if you have use-cases, it will be the best (something like 'as an admin, i want to find/someone called me with a problem or need and i want to  ********** and based on that do *******' 

0 Kudos

Re: Cyber Attack View formal release for R80.10 & R80.20

Yes, this screenshot looks good. The main goal is to find what countries is attacking you. Maybe from this screen you will see a lot of attacks from Bangladesh or Kongo. After that you can create Geo pollicy and block all malicious traffic.

0 Kudos
Employee+
Employee+

Re: Cyber Attack View formal release for R80.10 & R80.20

is that a view that related to threat prevention only? based on my work in SOC operations, they are working on top sources and destination and asking more questions:

  • Top sources for traffic usage
  • Top destinations (my organization) connection rate
  • Top source Attack countries (where the attacker is located)
  • Top attacked countries (where the customer is located)

based on your experience, we should connect it to Threat Prevention events or have a higher look on it? (access, Threat, VPN, etc...)?

Thanks,

Oren

0 Kudos
Highlighted

Re: Cyber Attack View formal release for R80.10 & R80.20

I can't speak for everyone. But I think if we talk about 'cyber threat view', the only information we need is the map between security events and the country of its originate. After that we can start our investigation.
But it's only my opinion.

0 Kudos
Employee+
Employee+

Re: Cyber Attack View formal release for R80.10 & R80.20

so something more like that?

focus on threat but also presents the amount of logs and bandwidth

Re: Cyber Attack View formal release for R80.10 & R80.20

I like more your first screenshot. It's about security events

0 Kudos
Employee+
Employee+

Re: Cyber Attack View formal release for R80.10 & R80.20

o.k

i will see how we can integrate the GEO view.

Thanks for the feedback!

Oren

D_W
Nickel

Re: Cyber Attack View formal release for R80.10 & R80.20

Very useful this new View!

One question about the "Hosts accessed malicious websites" that is stated in the field "Attacks Allowed By Policy".

I see there always our internal DNS servers that tries name resolutions for phishing/infected websites. The protection "DNS Reputation" successfully blocks this -> OK. Why is that in this field "Attacks Allowed By Policy" when the DNS Reputation blocks it?

Re: Cyber Attack View formal release for R80.10 & R80.20

great job! 

we've been using it for a long time and it's nice to see this becoming official GA!

keep up the good work!

0 Kudos