November 2021
Author | Hurricane Labs |
---|---|
App Version | 2.0.1 |
Vendor Products | CheckPoint |
Has index-time operations | false |
Create an index | false |
Implements summarization | false |
The CheckPoint Block Alert Action for Splunk allows organizations to easily block suspicious IPs on their CheckPoint systems. The app includes an adaptive response action and a workflow action.
Version 2.0.1 is the fifth release. It contains a bug fix to the alert action. This update is only compatible with Splunk 8+/Python 3. Version 1.0.2 contains an update to the README file. Version 1.0.1 contains minor edits to version 1.0.0. SSL verification of the API call to the management server is disabled because most servers either have self signed or non-existant certificates. You will also need to have a configured CheckPoint firewall for this app to function (it's in the name, so you're probably aware of this already).
Version 2.0.1 of the CheckPoint Block Alert Action For Splunk is compatible with:
Splunk Enterprise versions | 8.0, 8.1, 8.2 |
---|---|
Platforms | Platform independent |
Vendor Products | CheckPoint Management API, CheckPoint R80, R80.10, R81.x |
Lookup file changes | None |
This app requires that the CheckPoint management server controlling gateways be running a version which supports the R80.x and R81.x web API. Standalone gateways are supported in addition to management servers handling multiple gateways. Gateways do not necessarily need to be running a version running the API if they are centrally managed by a management server which supports the API. By default, the app will issue a block command to all managed gateways.
The CheckPoint API must be configured to allow remote connections in order for this to operate; the management API doesn’t allow remote access by default. To enable API access, open SmartConsole and navigate to Manage and Settings -> Blades -> Management API -> Advanced Settings. If this setting is changed, you will need to restart the API by SSHing into the management server and running the api restart command.
Support
Support for this app is provided by Hurricane Labs. Please send questions to splunk-app@hurricanelabs.com
For a more detailed walkthrough of the app's setup and features, please see the Hurricane Labs website
Note that we will make our best effort to assist you, but as this app relies on an external product we cannot guarantee we will be able to fix problems that may occur.
Check Point Block Alert Action For Splunk supports the following server platforms in the versions supported by Splunk Enterprise:
Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Install to search head
Install to search head
This app contains compatibility with the Enterprise Security feature Adaptive Response. Responders can block IP addresses of suspicious traffic on the Check Point management servers configured during setup.
Change to restmap.conf file to allow Cloud compatibility.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.