The BlueApp for Check Point provides a set of orchestration actions that you can use to identify and categorize items to send to your firewall Virtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them. as a response to threats identified by USM Anywhere.
As USM Anywhere surfaces events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall., vulnerabilities, and alarms Alarms provide notification of an event or sequence of events that require attention or investigation., your team determines which items require a response action. Rather than manually tagging threats, you can use the BlueApp for Check Point orchestration actions to enforce protection based on the information associated with the event or alarm. The following table lists the available actions from the BlueApp.
| Action | Description |
|---|---|
| Tag Source IP Address | Run this action to label the source IP address based on an event |
| Tag Destination IP Address | Run this action to label the destination IP address based on an event |
| Tag Source IP Address from Alarm | Run this action to label the source IP address from an alarm |
| Tag Destination IP Address from Alarm | Run this action to label the destination IP address from an alarm |
| Tag Source IP from Rule | Run this action to label the source IP address from a predefined rule |
| Tag Destination IP Address from Rule | Run this action to label the destination IP address from a predefined rule |
| Add a Threat Indicator from Event Using File Hash | Run this action to add a threat indicator from an event using a file hash |
| Add a Threat Indicator from Event Using Source IP Address | Run this action to add a threat indicator from an event using the source IP address |
| Add a Threat Indicator from Event Using URL | Run this action to add a threat indicator from an event using a URL |
| Add a Threat Indicator from Event Using Source Domain | Run this action to add a threat indicator from an event using the source domain |
| Add a Threat Indicator from Event Using Destination Domain | Run this action to add a threat indicator from an event using the destination domain |
| Add a Threat Indicator from Event Using Destination IP Address | Run this action to add a threat indicator from an event using the destination IP address |
| Add a Threat Indicator from Alarm Using Source IP | Run this action to add a threat indicator from an alarm using the source IP address |
| Add Threat Indicator from Alarm Using Destination IP | Run this action to add a threat indicator from an alarm using the destination IP address |
| Add Threat Indicator from Alarm Using File Hash | Run this action to add a threat indicator from an alarm using a file hash for enhanced security |
| Add Threat Indicator from Alarm Using URL | Run this action to add a threat indicator from an alarm using a URL |
| Add Threat Indicator from Alarm Using Source Domain | Run this action to add a threat indicator from an alarm using the source domain |
| Add Threat Indicator from Alarm Using Destination Domain | Run this action to add a threat indicator from an alarm using the destination domain |
| Add Threat Indicator from Rule Using URL | Run this action to add a threat indicator from a predefined rule using a URL |
| Add Threat Indicator from Rule Using Source Domain | Run this action to add a threat indicator from a predefined rule using the source domain |
| Add Threat Indicator from Rule Using Destination Domain | Run this action to add a threat indicator from a predefined rule using the destination domain |
| Add Threat Indicator from Rule Using File Hash | Run this action to add a threat indicator from a predefined rule using a file hash for improved security analysis |
| Add Threat Indicator from Rule Using Source IP | Run this action to add a threat indicator from a predefined rule based on the source IP address |
| Add Threat Indicator from Rule Using Destination IP | Run this action to add a threat indicator from a predefined rule based on the destination IP address |
To view information about these actions in USM Anywhere
- In USM Anywhere, go to Data Sources > BlueApps.
- Click the Available Apps tab.
- Search for the BlueApp, and then click the tile.
- Click the Actions tab to display information for the supported actions.
- Click the History tab to display information about the executed orchestration actions.
Launch Actions from USM Anywhere
You can launch an action directly from alarms or events. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an alarm or event.
To launch a Check Point orchestration action for an alarm
- Go to Activity > Alarms or Activity > Events.
- Click the alarm or event to open the details.
-
Click Select Action.
-
In the Select Action dialog box, select the Check Point tile.
-
For the App Action, select the action you want to launch.
You can launch an action to add or remove an IP address to the allowed list, add an IP address to the blocked list, or add the IP address to a custom category.
Additional fields will be populated based on the action you've selected. Fill out the necessary fields for the app action.
-
Click Run.
After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.
If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.
Feedback