New Splunk Application Boosts SOC Efficiency

By Eytan Segal, Head of Product Management, Threat Prevention

Analyzing Check Point threat events in Splunk has never been easier!

Procedures for threat monitoring and analysis are key for identifying cyber attacks against an organization, and for responding effectively. But achieving a high quality and effective operation can be really hard. We have many conversations with SOC teams, who often report that they struggle to process all the events funneled to their SIEM, and to identify the needle in the haystack – the attacks that really matter.

Since many of our customers use Splunk SIEM to monitor events, we have decided to create a Splunk application to help them.

The new Check Point app for Splunk is a power tool designed to give analysts a digested and actionable view of attacks detected by their Check Point products.

The app uses advanced queries to process logs from Check Point products such as firewall, application control, IPS, anti-virus, anti-bot, Threat Emulation sandbox, etc.

The results are displayed in clear dashboards which we designed to blend with SOC analyst workflow.

• General Overview – statistics on gateways, security trends, security blades usage and activity, application usage, and more
• Cyber Attack View – threat events grouped by attack vector – scanners/exploits, mail, web, servers exploits and more
• SandBlast Protection View – malicious files detected by SandBlast zero-day protection

Drill down from any dashboard to see the full event details.

For more information on the app, check out our short video.

If you’re a Splunk user, then it’s time to boost your SOC team’s efficiency with the new Check Point Splunk app.

What next:

• Connect your Check Point products to Splunk (or any other SIEM) – we’ve made it super easy!
• Install the Splunk app from splunkbase
• Leverage the integration with Splunk Adaptive Response to enforce indicators on Check Point gateways