Prevent IP activity by SIEM ArcSight command on CheckPoint Firewall
I made an utility to integrate SIEM ArcSight with CheckPoint Firewall to provide fast block of malicious activity.
Automatic Remediation Tool allows SIEM ArcSight execute command on CheckPoint Firewall to block attacker IP address in case of detected attack, based on SIEM logs or correlated events .
If some device (IDS\IPS\WAF…), connected to SIEM, detects an attack from IP address or C&C communication, you can create ArcSight rule to provide automatic reaction: block Attacker IP as source and destination of IPv4 traffic on your CheckPoint Firewall.
Automatic Remediation Tool will receive IP address from SIEM, and send command to Firewall using CheckPoint SAM Rules (sk112061).
Utility should be placed on separate server from ESM and CheckPoint Security Management Server. It connects to CheckPoint SMS using SSH and use CEF File SmartConnector to communicate with ESM.
Utility includes easy configuration script and logging in Common Event Format.
You can also watch demonstration video.
Hope you will enjoy it.