Skip to content

CheckPoint#

README

CkeckPoint#

This responder permits you to add/remove selected observable from a specific group.

Some notes:

- API must permit access from cortex machine.

- First login from API must be manual because it needs fingerprint acceptance. This will generate a fingerprints.txt file that must be placed near to the analyzer python file.

- It doesn't work in dockerized analyzer!

- If group doesn't exists it'll be created [when blocking]. At the moment without any default rule.

Requirements#

The following options are required in CheckPoint Responder configuration:

  • server : URL of CheckPoint instance
  • username: user accessing CheckPoint instance
  • password: password for the user accessing CheckPoint instance
  • group_name: name of the group ip will be added to or removed

CheckPoint_Lock#

Author: @dadokkio LDO-CERT
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Lock ip on CheckPoint Gaia

Configuration#

server Checkpoint API server
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
username CheckPoint username
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
password CheckPoint password
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
group_name CheckPoint group name ip will be added/removed from
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
exclusions ip/subnet that cannot be locked or unlocked
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
added_tag Tag added to observable when adding to FW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
removed_tag Tag added to observable when removing from FW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False

CheckPoint_Unlock#

Author: @dadokkio LDO-CERT
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unlock ip on CheckPoint Gaia

Configuration#

server Checkpoint API server
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
username CheckPoint username
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
password CheckPoint password
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
group_name CheckPoint group name ip will be added/removed from
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
exclusions ip/subnet that cannot be locked or unlocked
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
added_tag Tag added to observable when adding to FW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
removed_tag Tag added to observable when removing from FW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False