Current ThreatQ Version Filter
Check Point SandBlast Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.34.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Check Point SandBlast operation enriches ThreatQ indicators with context obtained from the Check Point SandBlast API.
The operation provides the following actions:
- Upload - uploads ThreatQ attachments to Check Point SandBlast for analysis.
- Query - enriches ThreatQ objects using the returned JSON response.
The operation is compatible with ThreatQ attachments and indicators.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameter under the Configuration tab:
Parameter Description API Key Your Check Point SandBlast API Key. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Upload | Uploads ThreatQ objects | Indicators | Attachments |
| Query | Enriches ThreatQ objects | Indicators | MD5, SHA-1, SHA-256, Attachments |
Upload
Uploads ThreatQ attachments to Check Point SandBlast for analysis.
POST https://te.checkpoint.com/tecloud/api/v1/file/upload
Sample Response:
{
"response": {
"status": {
"code": 1002,
"label": "UPLOAD_SUCCESS",
"message": "The file was uploaded successfully."
},
"sha1": "86bb5ed57999602fc4540ace6086a891c996e3f3",
"md5": "010cfb902cae00576e39556914eb7af5",
"sha256": "c79ac8a613c7a25793b2a0167d48a6a5e8e7c811ccdaf01d0a47efc7dff99dbd",
"file_type": "",
"file_name": "0.exe.zip",
"features": [
"te",
"av",
"extraction"
],
"te": {
"trust": 0,
"images": [
{
"report": {
"verdict": "unknown"
},
"status": "not_found",
"id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"revision": 1
},
{
"report": {
"verdict": "unknown"
},
"status": "not_found",
"id": "5e5de275-a103-4f67-b55b-47532918fa59",
"revision": 1
}
],
"score": -2147483648,
"status": {
"code": 1002,
"label": "UPLOAD_SUCCESS",
"message": "The file was uploaded successfully."
}
},
"extraction": {
"method": "pdf",
"tex_product": false,
"status": {
"code": 1002,
"label": "UPLOAD_SUCCESS",
"message": "The file was uploaded successfully."
}
},
"av": {
"status": {
"code": 1002,
"label": "UPLOAD_SUCCESS",
"message": "The file was uploaded successfully."
}
}
}
}
ThreatQ provides the following default mapping for this Action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .response.sha1 | Indicator.Value | SHA-1 | 86bb5ed57999602fc4540ace6 086a891c996e3f3 |
N/A |
| .response.sha256 | Indicator.Value | SHA-256 | c79ac8a613c7a25793b2a0167 d48a6a5e8e7c811ccdaf01d0a4 7efc7dff99dbd |
N/A |
| .response.md5 | Indicator.Value | MD5 | 010cfb902cae00576e39556914e b7af5 |
N/A |
Query
The Query action enriches ThreatQ objects using the returned JSON response.
POST https://te.checkpoint.com/tecloud/api/v1/file/query
Sample Response:
{
"response": [
{
"status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
},
"md5": "6573cd9789c3fe1be39c3cc595e64942",
"file_type": "",
"file_name": "",
"features": [
"te",
"av",
"extraction"
],
"te": {
"trust": 10,
"images": [
{
"report": {
"verdict": "benign"
},
"status": "found",
"id": "e50e99f3-5963-4573-af9e-e3f4750b55e2",
"revision": 1
},
{
"report": {
"verdict": "benign"
},
"status": "found",
"id": "5e5de275-a103-4f67-b55b-47532918fa59",
"revision": 1
}
],
"score": -2147483648,
"combined_verdict": "benign",
"status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
}
},
"av": {
"malware_info": {
"signature_name": "",
"malware_family": 0,
"malware_type": 0,
"severity": 0,
"confidence": 0
},
"status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
}
},
"extraction": {
"method": "pdf",
"extract_result": "CP_EXTRACT_RESULT_SUCCESS",
"extracted_file_download_id": "eb727562-eb55-40ae-abf2-5c489bb871a7",
"output_file_name": "applsci-09-04764-v2.cleaned.pdf",
"time": "60.426",
"extract_content": "PDF URI Actions",
"extraction_data": {
"input_extension": "pdf",
"input_real_extension": "pdf",
"message": "OK",
"output_file_name": "applsci-09-04764-v2.cleaned.pdf",
"protection_name": "Potential malicious content extracted",
"protection_type": "Conversion to PDF",
"protocol_version": "1.0",
"risk": 3.0,
"scrub_activity": "Active content was found - PDF file was converted to PDF",
"scrub_method": "Convert to PDF",
"scrub_result": 0.0,
"scrub_time": "60.426",
"scrubbed_content": "PDF URI Actions"
},
"tex_product": false,
"status": {
"code": 1001,
"label": "FOUND",
"message": "The request has been fully answered."
}
}
}
]
}
ThreatQ provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .response[].file_type | Indicator.Attribute | File Type | N/A | N/A |
| .response[].file_name | Indicator.Attribute | File Name | N/A | N/A |
| .response[].te.trust | Indicator.Attribute | Trust | 10 | N/A |
| .response[].te.combined_verdict | Indicator.Attribute | Verdict | Benign | Title cased |
| .response[].av.malware_info.signature_name | Indicator.Attribute | Signature Name | N/A | N/A |
| .response[].av.malware_info.malware_family | Indicator.Attribute | Malware Family | 0 | N/A |
| .response[].av.malware_info.malware_type | Indicator.Attribute | Malware Type | 0 | N/A |
| .response[].av.malware_info.severity | Indicator.Attribute | Severity | 0 | N/A |
| .response[].av.malware_info.confidence | Indicator.Attribute | Confidence | 0 | N/A |
| .response[].extraction.extraction_data.risk | Indicator.Attribute | Risk | 3.0 | N/A |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Check Point SandBlast Operation Guide v1.0.0 | 4.34.0 or Greater |