Check Point Reputation Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.34.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Check Point Reputation Operation enriches ThreatQ indicators with context obtained from the Check Point Reputation API.
The operation enriches ThreatQ objects through the following actions:
- IP Reputation
- URL Reputation
- Hash Reputation
The operation is compatible with the following indicators types:
- IP Address
- URL
- FQDN
- SHA-1
- MD5
- SHA-256
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Client Key Your Check Point Reputation Client Key. Automatically Add Indicators If checked, related indicators together with their attributes are added automatically. If not checked, the user can select which indicators to be added (without their attributes).
This option only applies to theURL Reputationaction. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| IP Reputation | Enriches ThreatQ objects | Indicators | IP Address |
| URL Reputation | Enriches ThreatQ objects | Indicators | URL, FQDN |
| Hash Reputation | Enriches ThreatQ objects | Indicators | SHA-1, MD5, SHA-256 |
IP Reputation
The IP Reputation action enriches ThreatQ objects using the returned JSON response.
POST https://rep.checkpoint.com/ip-rep/service/v2.0/query?resource={ip-address}
Sample Response:
{
"response":[
{
"status":{
"code":2001,
"label":"SUCCESS",
"message":"Succeeded to generate reputation"
},
"resource":"109.127.8.242",
"reputation":{
"classification":"Unclassified",
"severity":"N/A",
"confidence":"N/A"
},
"risk":34,
"context":{
"location":{
"countryCode":"AZ",
"countryName":"Azerbaijan",
"region":null,
"city":null,
"postalCode":null,
"latitude":40.5,
"longitude":47.5,
"dma_code":0,
"area_code":0,
"metro_code":0
},
"asn":50274,
"as_owner":"Alfanet LLC"
}
}
]
}
ThreatQ provides the following default mapping for this Action:
| Feed Data Path .response[0] | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .risk | Indicator.Attribute | Risk | 34 | N/A |
| .reputation.classification | Indicator.Attribute | Classification | Unclassified | N/A |
| .reputation.severity | Indicator.Attribute | Severity | N/A | N/A |
| .reputation.confidence | Indicator.Attribute | Confidence | N/A | N/A |
| .context.asn | Indicator.Attribute | ASN | 50274 | N/A |
| .context.as_owner | Indicator.Attribute | AS Owner | Alfanet LLC | N/A |
| .context.location.countryCode | Indicator.Attribute | Country Code | AZ | N/A |
| .context.location.countryName | Indicator.Attribute | Country Name | Azerbaijan | N/A |
| .context.location.region | Indicator.Attribute | Region | N/A | N/A |
| .context.location.city | Indicator.Attribute | City | N/A | N/A |
| .context.location.postalCode | Indicator.Attribute | Postal Code | 6600 | N/A |
| .context.location.dma_code | Indicator.Attribute | DMA Code | N/A | N/A |
| .context.location.area_code | Indicator.Attribute | Area Code | N/A | N/A |
| .context.location.metro_code | Indicator.Attribute | Metro Code | N/A | N/A |
URL Reputation
The URL Reputation action enriches ThreatQ objects using the returned JSON response.
POST https://rep.checkpoint.com/url-rep/service/v2.0/query?resource={url/fqdn}
Sample Response:
{
"response":[
{
"status":{
"code":2001,
"label":"SUCCESS",
"message":"Succeeded to generate reputation"
},
"resource":"adsports.in",
"reputation":{
"classification":"Infecting Website",
"severity":"High",
"confidence":"Medium"
},
"risk":88,
"context":{
"categories":[
{
"id":51,
"name":"Business / Economy"
}
],
"indications":[
"Known malicious domain"
],
"vt_positives":7,
"registrant":"vikram.kakkar@live.in",
"creation_date":"2011:04:27 00:00:00",
"related_ips":[
{
"ip":"34.102.136.180",
"classification":"Benign",
"confidence":"Low"
}
]
}
}
]
}
ThreatQ provides the following default mapping for this Action:
| Feed Data Path .response[0] | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .risk | Indicator.Attribute | Risk | 88 | N/A |
| .reputation.classification | Indicator.Attribute | Classification | Infecting Website | N/A |
| .reputation.severity | Indicator.Attribute | Severity | High | N/A |
| .reputation.confidence | Indicator.Attribute | Condidence | High | N/A |
| .context.categories[].name | Indicator.Attribute | Category | Business / Economy | N/A |
| .context.indications[] | Indicator.Attribute | Indication | Known malicious domain | N/A |
| .context.vt_positives | Indicator.Attribute | VT Positives | 7 | N/A |
| .context.registrant | Indicator.Attribute | Registrant | vikram.kakkar@live.in | N/A |
| .context.creation_date | Indicator.Attribute | Creation Date | 2011:04:27 00:00:00 | N/A |
| .context.related_ips[].ip | Related Indicator.Value | IP Address | 34.102.136.180 | Status Active |
| .context.related_ips[].classification | Related Indicator.Attribute | Classification | Benign | N/A |
| .context.related_ips[].confidence | Related Indicator.Attribute | Confidence | Low | N/A |
Hash Reputation
The Hash Reputation action enriches ThreatQ objects using the returned JSON response.
POST https://rep.checkpoint.com/file-rep/service/v2.0/query?resource={sha-256/sha-1/md5}
Sample Response:
{
"response":[
{
"status":{
"code":2001,
"label":"SUCCESS",
"message":"Succeeded to generate reputation"
},
"resource":"9498FF82A64FF445398C8426ED63EA5B",
"reputation":{
"classification":"Malware",
"severity":"High",
"confidence":"High"
},
"risk":100,
"context":{
"malware_family":"Zbot",
"protection_name":"Trojan-Spy.Win32.Zbot.ufyx.TC.a",
"malware_types":[
"Bot",
"Trojan"
],
"metadata":{
"company_name":"MySQL, AB",
"product_name":"ShellExtension",
"copyright":"Copyright 2003-2013",
"original_name":"ShellExtension"
}
}
}
]
}
ThreatQ provides the following default mapping for this Action:
| Feed Data Path .response[0] | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .risk | Indicator.Attribute | Risk | 100 | N/A |
| .reputation.classification | Indicator.Attribute | Classification | Malware | N/A |
| .reputation.severity | Indicator.Attribute | Severity | High | N/A |
| .reputation.confidence | Indicator.Attribute | Confidence | High | N/A |
| .context.malware_family | Indicator.Attribute | Malware Family | Zbot | N/A |
| .context.protection_name | Indicator.Attribute | Protection Name | Trojan-Spy.Win32.Zbot.ufyx.TC.a | N/A |
| .context.malware_types[] | Indicator.Attribute | Malware Type | Trojan | N/A |
| .context.metadata.company_name | Indicator.Attribute | Company Name | MySQL, AB | N/A |
| .context.metadata.product_name | Indicator.Attribute | Product Name | ShellExtension | N/A |
| .context.metadata.original_name | Indicator.Attribute | Original Name | ShellExtension | N/A |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Check Point Reputation Operation Guide v1.0.0 | 4.34.0 or Greater |