InsightConnect Marketplace

Check Point SandBlast

Back to Marketplace

Check Point SandBlast

v1.0.2

The Check Point SandBlast plugin extends the SandBlast service and enables report status and suspicious file upload

Tags: threat intelligence, breach prevention


Actions
  • Query Report
  • Upload

Description

Check Point SandBlast is a multilayered security technology provides protection against advanced cyber attacks. The Checkpoint Sand Blast plugin extends the Sand Blast service and enables report status and suspicious file upload.

Key Features

  • Suspicious file analysis

Requirements

  • Requires an API Key from the product

Documentation

Setup

The connection configuration accepts the following parameters:

Name Type Default Required Description Enum
api_key credential_secret_key None True API Key None
service_address string te.checkpoint.com True The Service Address None
using_cloud_server boolean True True Set to true if using the cloud version None

Technical Details

Actions

Query Report

This action is used to query the status of a file.

Input
Name Type Default Required Description Enum
features string None False Features None
file_digest string None True Hash of the file None
file_digest_type string None True The type of hash used for the digest ['md5', 'sha1', 'sha2']
file_name string None False File name None
file_type string None False The file extension None
quota boolean None False Quota None

Example input:

{
  "features": "te",
  "file_digest": "0800fc577294c34e0b28ad2839435945",
  "file_digest_type": "md5",
  "file_name": "hash.png",
  "file_type": "png",
  "quota": false
}
Output
Name Type Required Description
found boolean False Returns true if file found
query_response object False Status of requested features

Example output:

{
  "query_response": {
    "status": {
      "code": 1001,
      "label": "FOUND",
      "message": "The request has been fully answered."
    },
    "md5": "c2efcd148a4739a2f5676a513aa905f6",
    "file_type": "png",
    "file_name": "",
    "features": [
      "te"
    ],
    "te": {
      "trust": 0,
      "images": [
        {
          "report": {
            "verdict": "benign"
          },
          "status": "found",
          "id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
          "revision": 1
        },
        {
          "report": {
            "verdict": "benign"
          },
          "status": "found",
          "id": "5e5de275-a103-4f67-b55b-47532918fa59",
          "revision": 1
        }
      ],
      "score": -2147483648,
      "combined_verdict": "benign",
      "status": {
        "code": 1001,
        "label": "FOUND",
        "message": "The request has been fully answered."
      }
    }
  },
  "found": true
}

Upload

This action is used to upload a file for analysis.

Input
Name Type Default Required Description Enum
file_bytes bytes None True The file bytes None
file_name string None True The name of the file None
file_type string None False File extension e.g. DOCX, PDF None

Example input:

{
  "file_bytes": "YmxhaA==",
  "file_name": "blah.txt",
  "file_type": "txt"
}
Output
Name Type Required Description
results upload_response False Results from the upload

Example output:

{
  "upload_response": {
    "status": {
      "code": 1001,
      "label": "FOUND",
      "message": "The request has been fully answered."
    },
    "sha1": "2668914d800de7a488d3221e370f468eeb561cc5",
    "md5": "c2efcd148a4739a2f5676a513aa905f6",
    "file_type": "png",
    "file_name": "icon.png",
    "features": [
      "te"
    ],
    "te": {
      "trust": 0,
      "images": [
        {
          "report": {
            "verdict": "benign"
          },
          "status": "found",
          "id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
          "revision": 1
        },
        {
          "report": {
            "verdict": "benign"
          },
          "status": "found",
          "id": "5e5de275-a103-4f67-b55b-47532918fa59",
          "revision": 1
        }
      ],
      "score": -2147483648,
      "combined_verdict": "benign",
      "status": {
        "code": 1001,
        "label": "FOUND",
        "message": "The request has been fully answered."
      }
    }
  }
}

Triggers

This plugin does not contain any triggers.

Custom Output Types

This plugin does not contain any custom output types.

Troubleshooting

When using the local version of Check Point SandBlast the query report action must take a SHA1 hash

Version History

  • 1.0.2 - Update Check Point branding
  • 1.0.1 - New spec and help.md format for the Extension Library
  • 1.0.0 - Initial plugin

Links

References

plugin_spec_version: v2
extension: plugin
products: [insightconnect]
name: checkpoint_sand_blast
title: Check Point SandBlast
description: The Check Point SandBlast plugin extends the SandBlast service and enables report status and suspicious file upload
version: 1.0.2
vendor: rapid7
support: community
status: []
resources:
  source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/checkpoint_sand_blast
  license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE
tags:
- threat intelligence
- breach prevention
hub_tags:
  use_cases: [data_enrichment, threat_detection_and_response]
  keywords: [threat intelligence, breach prevention]
  features: []
types:
  status:
    code:
      type: integer
    label:
      type: string
    message:
      type: string
  report:
    verdict:
      type: string
  images:
    report:
      type: report
    status:
      type: string
    id:
      type: string
    revision:
      type: integer
  threat_emulation:
    trust:
      type: integer
    images:
      type: '[]images'
    combined_verdict:
      type: string
      required: false
    score:
      type: integer
    status:
      type: status
  upload_response:
    status:
      type: status
    md5:
      type: string
    file_type:
      type: string
    file_name:
      type: string
    features:
      type: '[]string'
    te:
      type: threat_emulation
  query_response:
    status:
      type: status
    md5:
      type: string
    file_type:
      type: string
    file_name:
      type: string
    features:
      type: '[]string'
    te:
      type: threat_emulation
      required: false
    av:
      type: object
      required: false
    extraction:
      type: object
      required: false
connection:
  service_address:
    title: Service Address
    description: The Service Address
    type: string
    default: te.checkpoint.com
    required: true
    example: "te.checkpoint.com"
  api_key:
    title: API Key
    description: API Key
    type: credential_secret_key
    required: true
    example: "TE_API_KEY_grH54uBqMleMweizSuQdifIdfhoqPe2mGCPeOx3E"
  using_cloud_server:
    title: Using Cloud Server
    description: Set to true if using the cloud version
    type: boolean
    default: true
    required: true
    example: true
actions:
  query_report:
    title: Query Report
    description: Query the status of a file
    input:
      file_digest:
        title: File Digest
        description: Hash of the file
        type: string
        required: true
        example: "0800fc577294c34e0b28ad2839435945"
      file_digest_type:
        title: File Digest Type
        description: The type of hash used for the digest
        type: string
        required: true
        enum:
        - md5
        - sha1
        - sha2
        example: "md5"
      file_type:
        title: File Type
        description: The file extension
        type: string
        required: false
        example: "png"
      file_name:
        title: File Name
        description: File name
        type: string
        required: false
        example: "hash.png"
      features:
        title: Features
        description: Features
        type: string
        required: false
        example: "te"
      quota:
        title: Quota
        description: Quota
        type: boolean
        required: false
        example: false
    output:
      query_response:
        title: Query Response
        description: Status of requested features
        type: object
        required: false
      found:
        title: Found
        description: Returns true if file found
        type: boolean
        required: false
  upload:
    title: Upload
    description: Upload a file for analysis
    input:
      file_name:
        title: File Name
        description: The name of the file
        type: string
        required: true
        example: "YmxhaA=="
      file_type:
        title: File Type
        description: File extension e.g. DOCX, PDF
        type: string
        required: false
        example: "blah.txt"
      file_bytes:
        title: File Bytes
        description: The file bytes
        type: bytes
        required: true
        example: "txt"
    output:
      results:
        title: Results
        description: Results from the upload
        type: upload_response
        required: false
Other plugins
Check Point NGFW
Rapid7   |   v2.0.1
Plugin
Get
Cb Response
Rapid7   |   v3.1.9
Plugin
Get
Fortinet FortiGate
Rapid7   |   v4.0.0
Plugin
Get
Palo Alto Firewall
Rapid7   |   v6.0.0
Plugin
Get
SentinelOne
Rapid7   |   v1.2.1
Plugin
Get