|Vendor Products||Check Point|
|Has index-time operations||false|
|Create an index||false|
The Check Point Block Alert Action for Splunk allows organizations to easily block suspicious IPs on their Check Point systems. The app includes an adaptive response action and a workflow action.
IMPORTANT - PLEASE USE 1.0.2 OF THE APP IF YOU ARE ON Splunk 7.3.6 OR BELOW. THE NEW SETUP PAGE WILL NOT WORK IN NON-8 VERSIONS OF SPLUNK.
Version 1.1.0 is the fourth release. It contains minor changes to make the app Python 3 compatible. It also contains a backend update to how the setup page works. Version 1.0.2 contains an update to the README file. Version 1.0.1 contains minor edits to version 1.0.0. SSL verification of the API call to the management server is disabled because most servers either have self signed or non-existant certificates. You will also need to have a configured Check Point firewall for this app to function (it's in the name, so you're probably aware of this already).
Version 1.1.0 of the Check Point Block Alert Action For Splunk is compatible with:
|Splunk Enterprise versions||8.0|
|Vendor Products||Check Point Management API, Check Point R80, R80.10|
|Lookup file changes||None|
This app requires that the Check Point management server controlling gateways be running a version which supports the R80.x web API. At the time of this writing, this includes version R80.10 and R80. Standalone gateways are supported in addition to management servers handling multiple gateways. Gateways do not necessarily need to be running a version running the API if they are centrally managed by a management server which supports the API. By default, the app will issue a block command to all managed gateways.
The Check Point API must be configured to allow remote connections in order for this to operate; the management API doesn’t allow remote access by default. To enable API access, open SmartConsole and navigate to Manage and Settings -> Blades -> Management API -> Advanced Settings. If this setting is changed, you will need to restart the API by SSHing into the management server and running the api restart command.
Support for this app is provided by Hurricane Labs. Please send questions to email@example.com
For a more detailed walkthrough of the app's setup and features, please see the Hurricane Labs website
Note that we will make our best effort to assist you, but as this app relies on an external product we cannot guarantee we will be able to fix problems that may occur.
Check Point Block Alert Action For Splunk supports the following server platforms in the versions supported by Splunk Enterprise:
Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Install to search head
Install to search head
This app contains compatibility with the Enterprise Security feature Adaptive Response. Responders can block IP addresses of suspicious traffic on the Check Point management servers configured during setup.
Release 1.1.0 provides Python 3 compatibility and modifies the setup page to no longer use the deprecated setup.xml method.
Please continue to use 1.0.2 if you have a pre-8.x Splunk environment. The new setup page does not work with older versions of Splunk.
Minor edits to logo and Readme
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.