Check Point

Check Point - Comprehensive cybersecurity solutions, including firewalls and threat prevention.

Provider: Check Point

Detection Rule MITRE Tactic MITRE Technique Criticality
Failed Firewall Rule Matches Defense Evasion Firewall Evasion (T1210) High
Investigation Actions (APIs) Get denied connections logs
Get rule set changes
Incident Creation Criteria 10+ failed matches in 5 minutes from the same source IP
VPN Access from Anomalous Locations Credential Access Credential Access (T1078) Critical
Investigation Actions (APIs) Get VPN logs
Get geo-location data for access attempts
Incident Creation Criteria VPN login from an IP address flagged in threat intelligence
Malicious File Transfer Detected Exfiltration Exfiltration Over Command and Control Channel (T1041) High
Investigation Actions (APIs) Get file transfer logs
Get alerts from Data Loss Prevention (DLP)
Incident Creation Criteria Transfer of sensitive files to a known malicious IP
Intrusion Prevention System (IPS) Alert for Exploit Execution Exploitation of Remote Services (T1210) Critical
Investigation Actions (APIs) Get IPS alerts
Get logs of exploited vulnerabilities
Incident Creation Criteria IPS triggers on specific service ports
High Rate of Firewall Alerts Discovery Network Service Scanning (T1046) High
Investigation Actions (APIs) Get firewall log statistics
Get alerts related to scanning activity
Incident Creation Criteria More than 100 alerts in 10 minutes from a single source
Unusual HTTP Traffic Patterns Command and Control Application Layer Protocol (T1071) High
Investigation Actions (APIs) Get web traffic logs
Get application logs
Incident Creation Criteria 500+ HTTP requests in a short timeframe from the same IP
DNS Queries to Malicious Domains Command and Control Domain Generation Algorithms (T1483) Critical
Investigation Actions (APIs) Get DNS query logs
Get threat intelligence matches
Incident Creation Criteria Multiple queries to known malicious domains within 1 hour
Unauthorized Changes to Firewall Policies Privilege Escalation Exploitation of Vulnerability (T1068) Critical
Investigation Actions (APIs) Get logs of policy changes
Get user activity logs
Incident Creation Criteria Policy change by a non-admin user or outside of business hours
Unrecognized Device Connecting to the Network Initial Access External Remote Services (T1133) High
Investigation Actions (APIs) Get device connection logs
Get network access control logs
Incident Creation Criteria New device connecting without prior registration
High Volume of SSH Connections Persistence SSH Tunneling (T1572) Medium
Investigation Actions (APIs) Get SSH logs
Get connection attempts and success rates
Incident Creation Criteria More than 20 SSH connections from a single IP in 5 minutes

APIs and Their Scopes

Detection Rule API Required API Scope
Failed Firewall Rule Matches get_firewall_logs read:firewall_logs
VPN Access from Anomalous Locations get_vpn_access_logs read:vpn_logs
Malicious File Transfer Detected get_file_transfer_logs read:file_transfer_logs
Intrusion Prevention System (IPS) Alert for Exploit get_ips_alerts read:ips_logs
High Rate of Firewall Alerts get_firewall_alert_statistics read:firewall_alerts
Unusual HTTP Traffic Patterns get_http_traffic_logs read:http_logs
DNS Queries to Malicious Domains get_dns_query_logs read:dns_logs
Unauthorized Changes to Firewall Policies get_policy_change_logs read:policy_logs
Unrecognized Device Connecting to the Network get_device_connection_logs read:device_logs
High Volume of SSH Connections get_ssh_connection_logs read:ssh_logs

Reports and Widgets for CISO

Report Name Widgets Description
Executive Summary Report Total Incidents High-level overview of overall security posture, including incident trends and compliance metrics.

Current Threat Level

Compliance Status

Incident Response Report Incident Count by Severity Detailed analysis of incidents, including their severity, response times, and outcomes.

Time to Respond

Incident Resolution Rate

Unauthorized Access Report Top Failed Login Attempts Summary of unauthorized access attempts, showing patterns and trends to identify potential breaches.

Geolocation of Attempts

User Activity Timeline

Malware Incidents Report Malware Detection Trends Overview of malware incidents, detailing detection trends, affected systems, and mitigation efforts.

Affected Systems

Response Actions Taken

Policy Compliance Report Policy Violations by Category Assessment of adherence to security policies, showing violations and compliance trends.

Resolution Status

Trends Over Time

Data Exfiltration Risk Report Volume of Data Transferred Analysis of potential data breaches, including data transfer volumes and sources flagged for review.

Source of Data Transfers

Risk Level Overview

Threat Landscape Report Emerging Threats Summary of the current threat landscape based on threat intelligence, including emerging threats and IoCs.

Current IoCs

Risk Assessment of Active Threats

Firewall Rule Effectiveness Report Firewall Denials by Source IP Evaluation of firewall rule effectiveness, showing trends in denied traffic and modifications made to rules.

Top Blocked Applications

Rule Modification History

VPN Access Analysis Report User Access Patterns Insights into VPN usage, highlighting unusual access patterns and locations for further investigation.

Geographic Distribution of VPN Access

Anomalous Access Alerts

SSH Connection Activity Report SSH Connections Over Time Analysis of SSH connection attempts, focusing on trends and identifying suspicious activities.

Source IP Analysis

Alerts on Anomalous Behavior