Checkpoint Quantum firewall ransomware infection detected

This rule is part of a beta feature. To learn more, contact Support.
checkpoint-quantum-firewall

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1486-data-encrypted-for-impact

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when Checkpoint’s Anti-Ransomware solution raises a ransomware infection alert.

Strategy

This rule monitors Checkpoint Quantum Firewall logs for when a ransomware infection is detected by the Anti-Ransomware product. This rule uses the third-party detection method to create a signal with the same serverity as the event severity (@checkpoint_firewall_severity).

Triage and response

  1. Investigate the Checkpoint alert to determine if it is malicious or benign.
  2. If the alert is benign, consider including the user or host in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.