IBM Security QRadar

 View Only
  • 1.  Incident response with Checkpoint

    Posted Mon January 24, 2022 10:03 AM
    Hi 
    I have one system of Qradar receiving log from checkpoint but I need to do further more about incident response. After Qradar create offense, can we send to checkpoint for build policy to block traffic.

    Example, Qradar see brute force traffic from IP 192.168.1.1 then create one offense. Qradar send this offense to Checkpoint to block any traffic from source IP 192.168.1.1. Is this require any 3rd party software? Is it possible to apply this case on existing system? 

    Thanks in advance

    ------------------------------
    MACs
    ------------------------------


  • 2.  RE: Incident response with Checkpoint

    IBM Champion
    Posted Wed January 26, 2022 10:49 AM
      |   view attached
    thx for your question. Yes you can! This is one of our boot camp samples for shunning using custom action script for sam rules inside checkpoint.
    The only problem is, that you need to login to your firewall 1st, which can only be done outside QRadar script container.
    The workaround for this problem is to store ip addresses inside a reference list and read the updated list using a 2nd script with REST API and beeing scheduled once per minute from outside the script container in order to workaround jail.
    Pls refer to PDF attached

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Attachment(s)

    pdf
    09_rulescript_engl.pdf   2.11 MB 1 version


  • 3.  RE: Incident response with Checkpoint

    Posted Wed January 26, 2022 10:49 PM
    Hi Karl,
    Thanks for response and show me an example. It's very useful!

    ------------------------------
    MAC starter
    ------------------------------



  • 4.  RE: Incident response with Checkpoint

    Posted Fri January 28, 2022 03:08 PM
    Thanks. It's very useful!

    ------------------------------
    webaffiliatevn.com
    ------------------------------