Check Point NGFW

Version: Check Point NGFW – version R80.10 and later

Check Point is a cyber security architecture which offers security, easy deployment, and effective management by consolidating key security applications (Firewall, VPN, Intrusion Prevention, Antivirus and more).

Netsurion Open XDR manages logs retrieved from Check Point. The alerts, reports, dashboards, and saved searches in Netsurion Open XDR are enhanced by capturing important and critical activities in Check Point.

The following are the key assets included with this Data Source Integration.

Alerts

TypeNameDescription
SecurityCheck Point NGFW – Attacks detectedGenerated when an event associated with intrusion prevention is logged by Check Point.
SecurityCheck Point NGFW – Configuration changes detectedGenerated when a user performs configuration changes in Check Point.
SecurityCheck Point NGFW – DLP event has been detectedGenerated when an event associated with data Loss and prevention is logged by Check Point.
ComplianceCheck Point NGFW – Failed login attempt detectedGenerated when an endpoint user or machine had a failed login attempt.

Reports

TypeNameDescription
SecurityCheck Point NGFW – System attack detectionsProvides information about system attack detections.
SecurityCheck Point NGFW – URL filtering activitiesProvides information about the summary of events that are related to URL filtering that controls access to millions of web sites by category, users, groups, and machines to protect users from malicious sites. It includes, URL accessed, endpoint IP, user agent, log datetime, and more.
SecurityCheck Point NGFW – Application control activitiesProvides information about Application control activities.
SecurityCheck Point NGFW – HTTPS inspection activitiesProvides information about the summary of events related to traffic that are encrypted by HTTPS. It includes, URL, endpoint IP address, source port, action type, application category, and more.
SecurityCheck Point NGFW – DLP activitiesProvides information about summary of data loss and prevention events. It includes, action type, sender address, recipient address, email subject, scanning direction, and more.
SecurityCheck Point NGFW – Anti malware eventsProvides information about the summary of events that are associated with anti-malware activities, that is, events where viruses, spyware, keystroke loggers, trojans and rootkits are identified using signatures, behaviour blockers and heuristic analysis. It includes, endpoint username, anti-virus name, event type, OS name or version, scan status, and more.
ComplianceCheck Point NGFW – Denied traffic activitiesProvides information about the summary of denied traffic in Check Point firewall. It includes, source IP address, destination address, action type, service Id, and more.
ComplianceCheck Point NGFW – User login and logout activitiesProvides information about the summary of endpoint user’s or machine’s failed login activity. It includes, username, source IP address, authentication type, Identity type, log datetime, and more.
ComplianceCheck Point NGFW – VPN login and logout activitiesProvides information about the summary of VPN or SSLVPN login and logout activities. It includes, endpoint IP address, login option, failure reason, and more.
ComplianceCheck Point NGFW – All VPN activitiesProvides information about all VPN activities
OperationalCheck Point NGFW – Allowed traffic activitiesProvides information about allowed traffic in Check Point firewall. It includes, source IP address, destination address, action type, service Id, and more.

Dashboards

TypeNameDescription
SecurityCheck Point NGFW – Events by attack detection scoreDisplays all the events by attack detection score captured by Check Point NGFW.
ComplianceCheck Point NGFW – VPN log in by source IP addressDisplays all the VPN login by source IP address.
ComplianceCheck Point NGFW – Login activities object typeDisplays all the login activities object type captured by Check Point NGFW.
ComplianceCheck Point NGFW – Login failsDisplays all the Login fails captured by Check Point NGFW.
OperationalCheck Point NGFW – Event log typesDisplays all the log types captured by Check Point NGFW.
OperationalCheck Point NGFW – Event by action performedDisplays all the event by action performed by Check Point NGFW.
OperationalCheck Point NGFW – Traffic deniedDisplays all the denied traffic captured by Check Point NGFW.
OperationalCheck Point NGFW – Events traffic allowedDisplays all the events traffic allowed by Check Point NGFW.

Saved Searches

TypeNameDescription
SecurityCheck Point NGFW – Attacks detectedProvides information about system attack detections.
SecurityCheck Point NGFW – URL filteringProvides information about the summary of events related to URL filtering that controls access to millions of web sites by category, users, groups, and machines to protect users from malicious sites. It includes, URL accessed, endpoint IP, user agent, log datetime, and more.
SecurityCheck Point NGFW – Application controlProvides information about Application control activities.
SecurityCheck Point NGFW – HTTPS inspectionProvides information about the summary of events related to traffic that are encrypted by HTTPS. It includes, URL, endpoint IP address, source port, action type, application category, and more.
SecurityCheck Point NGFW – DLP eventsProvides information about summary of data loss and prevention events. It includes, action type, sender address, recipient address, email subject, scanning direction, and more.
SecurityCheck Point NGFW – Anti malware eventsProvides information about the summary of events that are associated with anti-malware activities, events where viruses, spyware, keystroke loggers, trojans and rootkits are identified using signatures, behaviour blockers and heuristic analysis. It includes, endpoint username, anti-virus name, event type, OS name/version, scan status, and more.
SecurityCheck Point NGFW – Configuration changesProvides information about the configuration changes activities.
ComplianceCheck Point NGFW – Login and logout activitiesProvides information about the summary of endpoint user or machine failed login activity. It includes, username, source IP address, authentication type, Identity type, log datetime, and more.
ComplianceCheck Point NGFW – VPN login and logout activitiesProvides information about the summary of VPN or SSLVPN login and logout activities. It includes, endpoint IP address, login option, failure reason, and more.
ComplianceCheck Point NGFW – Login failed activitiesProvides information about all the login failed activities.
OperationalCheck Point NGFW – Allowed trafficProvides information about allowed traffic in Check Point firewall. It includes, source IP address, destination address, action type, service Id, and more.
OperationalCheck Point NGFW – Denied trafficProvides information about the summary of denied traffic in Check Point firewall. It includes, source IP address, destination address, action type, service Id, and more.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.3 and later, and Check Point NGFW.

Download the Integration Guide for configuration instructions and more information.