Check Point Integration

About this integration

RST Threat Feed delivers comprehensive coverage across various threat categories, including Phishing, Web Attacks, Command and Control servers (C2), Botnets, Malware, and more. Our feed includes key indicators such as IP addresses, domains, URLs, MD5, SHA1, and SHA256 hashes, ensuring broad defence against evolving threats.

We aggregate threat intelligence data from a variety of sources, including private and open-source feeds, social channels, public online sandboxes, and RST Cloud's honeypot network. This extensive data collection guarantees a robust and dynamic threat intelligence repository.

Check Point users can utilise this relevant TI knowledge to stay up-to-date with the most pertinent malicious resources used by threat actors. By integrating the feed into NGFW appliances, users can leverage data that helps stop attackers from gaining access to internal company resources and secure their digital assets.

CHeck Point Configuration Steps

You can import threat indicator feeds from external sources directly to the Security Gateway. After you import the feeds for the first time and install the policy, the Security Gateway automatically pulls and enforces the indicator file each time the file is updated. The Security Gateway imports the file over HTTPS.

To connect RST Threat Feed into Check Point NGFW you need to:

1. 1. In the SmartConsole main view, go to Security Policies > Threat Prevention > Custom Policy/Autonomous Policy. In the bottom left section, go to Custom Policy Tools/Autonomous Policy Tools > Indicators. Click New and select External IoC feed:

• The Indicator feed configuration window opens:

 

• Fill in the fields:
  • For URL:

For all types of IoCs with high score (in this case it is 50 and higher):

 https://api.rstcloud.net/v1/checkpoint/ip/50

 https://api.rstcloud.net/v1/checkpoint/domain/50

 https://api.rstcloud.net/v1/checkpoint/url/50

 https://api.rstcloud.net/v1/checkpoint/hash/50

We recommend to use Score filter in the URL. For high-confidence and actual IOCs it is approximately 50-60 and higher scores, for informative ones it is score less than 30-40. In the middle is suspicious indicators. Each indicator has an individual score calculated based on its actuality and risk: what type of indicator it is, who is the reporter of the indicators, how many other people are already aware of that indicator, was that indicator exposed previously and many other contributing factors.
The higher the indicator score, the lower their false-positive rate. Pick the right threshold that will suit your environment.

For IoCs of specific categories (C2 servers, phishing, malware):

 https://api.rstcloud.net/v1/checkpoint/ip/45/c2

 https://api.rstcloud.net/v1/checkpoint/domain/45/phishing

 https://api.rstcloud.net/v1/checkpoint/hash/45/malware