Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Oren_Koren
Employee Alumnus
Employee Alumnus

Cyber Attack View formal release for R80.10 & R80.20

Hey,

Few months ago, we started to work the new dashboard for Threat Prevention Investigation methods.

You can find the first post in here: https://community.checkpoint.com/community/management/visibility-monitoring/blog/2018/04/04/threat-p... 

I am happy to announce that we formally released the version for R80.10 & R80.20 under the following SK - sk134634

 

This dashboard is allowing you to locate the cyber threat you need to address to based on attack vector and in a very fast way. our EA customers were able to locate threats on/in their network in a very fast way and without the need to query on their logs as the first action. 

 

we improved the queries also based on the community inputs and we are looking for more improvements and inputs from the community.  if you have any inputs related to the dashboard please contact me directly - Orenkor@checkpoint.com

 

Thanks,

Oren

 

 

examples for all of the pages in the dashboard.

 

  • Main pageMain page - Cyber Attack View
  • Infected Hosts

Infected Hosts - Cyber Attack View

  • Reconnaissance action on your network

Reconnaissance - Cyber Attack View

  • Different delivery methods

Malicious File Download - Cyber Attack View

Malicious Emails - Cyber Attack View

 

  • Host exploit

Host Exploit - Cyber Attack View

  • Malicious Websites

Malicious WebSites- Cyber Attack View

11 Replies
Evgeniy_Olkov
Collaborator
Collaborator

Hello. You did great job!

I have one suggestion. It will be really cool if you add one more widget - The Map of Attackers. Something like this^

It will help to create a Geo Pollicy.

Oren_Koren
Employee Alumnus
Employee Alumnus

created basic one - something like that?

what should be the order and data that needed to be presented from you POV?

if you have use-cases, it will be the best (something like 'as an admin, i want to find/someone called me with a problem or need and i want to  ********** and based on that do *******' 

jpuerta
Explorer

Could you please send me the template?

0 Kudos
Evgeniy_Olkov
Collaborator
Collaborator

Yes, this screenshot looks good. The main goal is to find what countries is attacking you. Maybe from this screen you will see a lot of attacks from Bangladesh or Kongo. After that you can create Geo pollicy and block all malicious traffic.

0 Kudos
Oren_Koren
Employee Alumnus
Employee Alumnus

is that a view that related to threat prevention only? based on my work in SOC operations, they are working on top sources and destination and asking more questions:

  • Top sources for traffic usage
  • Top destinations (my organization) connection rate
  • Top source Attack countries (where the attacker is located)
  • Top attacked countries (where the customer is located)

based on your experience, we should connect it to Threat Prevention events or have a higher look on it? (access, Threat, VPN, etc...)?

Thanks,

Oren

0 Kudos
Evgeniy_Olkov
Collaborator
Collaborator

I can't speak for everyone. But I think if we talk about 'cyber threat view', the only information we need is the map between security events and the country of its originate. After that we can start our investigation.
But it's only my opinion.

0 Kudos
Oren_Koren
Employee Alumnus
Employee Alumnus

so something more like that?

focus on threat but also presents the amount of logs and bandwidth

Evgeniy_Olkov
Collaborator
Collaborator

I like more your first screenshot. It's about security events

0 Kudos
Oren_Koren
Employee Alumnus
Employee Alumnus

o.k

i will see how we can integrate the GEO view.

Thanks for the feedback!

Oren

D_W
Advisor

Very useful this new View!

One question about the "Hosts accessed malicious websites" that is stated in the field "Attacks Allowed By Policy".

I see there always our internal DNS servers that tries name resolutions for phishing/infected websites. The protection "DNS Reputation" successfully blocks this -> OK. Why is that in this field "Attacks Allowed By Policy" when the DNS Reputation blocks it?

Yonathan_Grunew
Participant

great job! 

we've been using it for a long time and it's nice to see this becoming official GA!

keep up the good work!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events