Integration with Splunk Phantom

grandpafirewall · ‎2018-12-26

In an effort to start building the Check Point/Phantom ecosystem, I'm posting an integration document I created to share with the community; and to understand the need to increase our footprint with Phantom (now Splunk Phantom). I have a Github site setup for to collect Playbooks; json; rpm's; and Python files (see below) The document is still in draft and currently under review and will welcome any feedback. The document is an integration guide and is not the authority nor a tutorial for Phantom. The Phantom management portal has a very extensive documentation.

The document was written with R80.10, but I'm currently testing R80.20M2 with this as the API features are much more extensive.

The R80 REST API is very powerful and will continue to have features added in future releases.

Github: GitHub - rickdevera/phantom-checkpoint

automation‌

/richard devera

For the full list of White Papers, go here.

Martin_Valenta · ‎2018-12-27

Hey Rick, which other playbooks except block/allow IP you use or plan to use within your org?

grandpafirewall · ‎2018-12-27

I'm working with a Check Point partner to demonstration the how we fit into their existing services. The Playbooks aren't limited to just the Check Point functions. You can use combine other Apps and their Actions to be used in a single Playbook, (For example, I can gather information gained from other Assets (ie VendorX firewall, URL service, etc) and take action. The Check Point playbook I created is very basic, and only demonstrates how I can use it with our API. So we should develop more Apps that can be used in Playbooks. For example, our Threat Cloud API can be used if we can create an App. Does this help?

Chris_Atkinson · ‎2018-12-27

Thanks for sharing!