The combination of Check Point and D3 NextGen SOAR provides the SOC with vastly improved visibility, intelligence, and agility. Events in Check Point trigger automated playbooks in D3, which gather context from across the security ecosystem, including correlation against the MITRE ATT&CK framework. If the event is convicted, D3 will execute the remediation plan, which can be fully or partially automated. The whole process takes only seconds.
| Integration | Capabilities |
|---|---|
| Check Point Next Generation Firewall | SOCs use D3 to collect data and orchestrate actions across Check Point Next Generation Firewall. The integration supports blocking IPs, updating rules, and more, all at machine speeds. |
| Check Point Advanced Network Threat Prevention | D3 integrates with Check Point Advanced Network Threat Prevention for sandboxing suspicious files and ingesting detonation reports into D3 playbooks. |
D3 can monitor a phishing inbox and create an event in D3 NextGen SOAR by pulling suspicious email content and attachment(s). The file reputation is then automatically checked in the Check Point Threat Prevention module. If the file is not found, an API call will be triggered to upload the original file for sandboxing. D3 will search SIEM logs for suspicious network flows occurring on the involved endpoints and also automatically enrich external IPs and URLs. If an IOC’s reputation is malicious, a response playbook will be triggered to quarantine endpoints and block IPs and URLs.
When Check Point’s Next Generation Firewall detects suspicious traffic, the alert is escalated automatically to D3 for investigation. D3 then correlates the alert against additional data sources, most importantly, the SIEM, which contextualizes the alert with log data. This data will include other activity of the implicated IP address in recent logs, any recent changes in privileges to associated user IDs, and other relevant data related to the IOCs that D3 found in the alert. The full context of the alert is then presented to the analyst, who can dismiss the alert as a false positive or trigger an automated playbook to respond to the threat, including updating firewall rules.
Our Connected SOAR Security Alliance brings hundreds of vendors together, allowing customers to benefit from our deep industry relationships and fully vendor-agnostic, independent SOAR platform.
