Check Point CloudGuard
Integration version: 3.0
Use Cases
Ingest Check Point CloudGuard alerts and use them to create Google Security Operations SOAR alerts. Next, in Google Security Operations SOAR, alerts can be used to perform orchestrations with playbooks or manual analysis.
Product Permission
Basic Authentication with API Key ID and API Key Secret.
Configure Check Point CloudGuard integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| API Key ID | String | N/A | Yes | API Key ID of the Check Point CloudGuard account. |
| API Key Secret | Password | N/A | Yes | API Key Secret of the Check Point CloudGuard account. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verifies that the SSL certificate for the connection to the CloudGuard server is valid. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Ping
Description
Test connectivity to Check Point CloudGuard with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: The action should fail and stop a playbook execution: If not successful: print "Failed to connect to the Check Point CloudGuard server! Error is {0}".format(exception.stacktrace) |
General |
Connectors
Check Point CloudGuard - Alerts Connector
Description
Pull alerts from Check Point CloudGuard.
Configure Check Point CloudGuard - Alerts Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | alertType | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Int | 180 | Yes | Timeout limit for the python process running the current script. |
| API Key ID | String | N/A | Yes | API Key ID of the Check Point CloudGuard account. |
| API Key Secret | Password | N/A | Yes | API Key Secret of the Check Point CloudGuard account. |
| Lowest Severity To Fetch | String | Medium | Yes | Lowest severity that will be used to fetch alerts. Possible values: Low Medium High |
| Fetch Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch alerts. |
| Max Alerts To Fetch | Integer | 50 | No | How many alerts to process per one connector iteration. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify the SSL certificate for the connection to the Anomali Staxx server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports Proxy.