Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Yevhen_B
Explorer

Utility to prevent IP activity by SIEM command using SAM rules

Hi All,

I made an utility to integrate CheckPoint Firewall with SIEM ArcSight to provide fast block of malicious activity without Policy Installation.

Automatic Remediation Tool allows SIEM ArcSight to send a SAM Command (sk112061) CheckPoint Firewall to block attacker IP address in case of detected attack, based on SIEM logs or correlated events.

If some device (IDS\IPS\WAF…), connected to SIEM, detects an attack from IP address or C&C communication, you can create ArcSight rule to provide automatic reaction: block Attacker IP as source and destination of IPv4 traffic on your CheckPoint Firewall.

NewDiagram.jpg

Automatic Remediation Tool will receive IP address from SIEM, and send command to Firewall. 

Utility should be placed on separate server from SIEM and CheckPoint SMS. It connects to CheckPoint SMS using SSH and use SmartConnector to communicate with SIEM.

Utility includes easy configuration script and logging in Common Event Format.

You can find more information on Micro Focus ArcSight Marketplace or contact with me on CheckMates or privately autoremediation@gmail.com

You can also watch demonstration video.

Hope you will enjoy it.

0 Replies