Check Point SandBlast
Integration version: 4.0
Configure Check Point SandBlast integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| API Root | String | https://<service_address>/tecloud/ api/<version>/file | Yes | Specify the Check Point SandBlast Api root URl. |
| API Key | Password | N/A | Yes | Specify the Check Point SandBlast API key. |
| Verify SSL | Checkbox | Checked | No | If enabled, verifies that the SSL certificate for the connection to the Check Point SandBlast server is valid. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Ping
Description
Test connectivity to the Check Point SandBlast with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Use Cases
Test connectivity to the target system with parameters configured for Integration from the Google Security Operations SOAR server.
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Check Point SandBlast server with the provided connection parameters!" The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the SandBlast server! Error is {}".format(e) |
General |
Query
Description
Get threat reputation information about FILEHASH entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Threshold | String | 0 | Yes | Mark entity as suspicious if severity is equal or above the given threshold. |
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
Entities are marked as suspicious if:
- Threat Emulation combined verdict equals malicious.
- AV severity is greater than or equal to threshold (in the JSON: av.malware_info.severity).
| Enrichment Field Name | Logic |
|---|---|
| SandBlast_av_block | Returns if it exists in JSON |
| SandBlast_av_signature_name | Returns if it exists in JSON |
| SandBlast_av_severity | Returns if it exists in JSON |
| SandBlast_av_confidence | Returns if it exists in JSON |
| SandBlast_te_combined_verdict | Returns if it exists in JSON |
| SandBlast_te_severity | Returns if it exists in JSON |
| SandBlast_te_confidence | Returns if it exists in JSON |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"Entity": "8a2f57269b2f47b4e8f2e122e424754b",
"EntityResult": {
"status": {
"code": 1006,
"label": "PARTIALLY_FOUND",
"message": "The request cannot be fully answered at this time."
},
"md5": "8a2f57269b2f47b4e8f2e122e424754b",
"file_type": "",
"file_name": "untitled.doc",
"features": ["te", "av"],
"te": {
"trust": 0,
"images": [{
"report": {
"verdict": "unknown"
},
"status": "not_found",
"id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"revision": 1
}, {
"report": {
"verdict": "unknown"
},
"status": "not_found",
"id": "5e5de275-a103-4f67-b55b-47532918fa59",
"revision": 1
}],
"score": -2147483648,
"status": {
"code": 1004, "label": "NOT_FOUND",
"message": "Could not find the requested file. Please upload it."
}},
"av": {
"malware_info": {
"signature_name": "",
"malware_family": 0,
"malware_type": 0,
"severity": 0,
"confidence": 0
},
"status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
}
}
}
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully found info the following entities:..." If partially successful: "Partial information was found for the following entities:..." If not found entities: "No information was found for the following entities:..." If failed to find entities: "Failed to fetch information for the following entities:..." If not successful: "No entities were enriched." The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "An error occurred while running action. Error: {}".format(e) |
General |
Upload File
Description
Upload files for analysis.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| file path | String | N/A | Yes | path to the file to be uploaded |
| file name | String | N/A | Yes | Display Name of the uploaded file |
| Enable Threat Emulation feature | Checkbox | Checked | No | If enabled, threat emulation feature will be enabled for the upload. By default, if no features are selected, threat emulation will be used. |
| Enable AntiVirus feature | Checkbox | Unchecked | No | If enabled, antivirus feature will be enabled for the upload. By default, if no features are selected, threat emulation will be used. |
| Enable Threat Extraction feature | Checkbox | Unchecked | No | If enabled, threat extraction feature will be enabled for the upload. By default, if no features are selected, threat emulation will be used. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"Entity": "/tmp/test.txt",
"EntityResult": {
"status": {
"code": 1002,
"label": "UPLOAD_SUCCESS",
"message": "The file was uploaded successfully."
},
"sha1": "6caf005c3183d9b5b8dfa5b60f24eb1ebbfab876",
"md5": "c12c504bbe0f7be6ca87d4933c43fac1",
"sha256": "e757f729d149e047705ad6adfbcdd28b0ad28899385712ee0a58261bcb03ac36",
"file_type": "",
"file_name": "2020092414.log",
"features": ["te"],
"te": {
"trust": 0,
"images": [{
"report": {
"verdict": "unknown"
},
"status": "not_found",
"id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"revision": 1
}, {
"report": {
"verdict": "unknown"
},
"status": "not_found",
"id": "5e5de275-a103-4f67-b55b-47532918fa59",
"revision": 1
}],
"score": -2147483648,
"status": {
"code": 1002,
"label": "UPLOAD_SUCCESS",
"message": "The file was uploaded successfully."
}
}
}
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully uploaded the following files: {}".format(".join([file_path for file_path in successful_paths]) Else: "No files were uploaded." If failed: "An error occurred on the following files: {}Please check logs for more information.".format(".join([file_path for file_path in failed_paths])"
The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "An error occurred while running action. Error: {}".format(e) |
General |