diff --git a/.script/tests/KqlvalidationsTests/CustomTables/CheckpointHEC_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/CheckpointHEC_CL.json new file mode 100644 index 00000000000..26a0c98f631 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/CheckpointHEC_CL.json @@ -0,0 +1,137 @@ +{ + "Name": "CheckpointHEC_CL", + "Properties": [ + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "email_raw", + "Type": "dynamic" + }, + { + "Name": "event_raw", + "Type": "dynamic" + }, + { + "Name": "EmailEmailId", + "Type": "string" + }, + { + "Name": "EmailType", + "Type": "string" + }, + { + "Name": "EmailSubject", + "Type": "string" + }, + { + "Name": "EmailTo", + "Type": "dynamic" + }, + { + "Name": "EmailFromEmail", + "Type": "string" + }, + { + "Name": "EmailFromName", + "Type": "string" + }, + { + "Name": "EmailBbc", + "Type": "dynamic" + }, + { + "Name": "EmailCc", + "Type": "dynamic" + }, + { + "Name": "EmailReplyTo", + "Type": "dynamic" + }, + { + "Name": "EmailBodyContentType", + "Type": "string" + }, + { + "Name": "EmailMessageId", + "Type": "string" + }, + { + "Name": "EmailDirection", + "Type": "string" + }, + { + "Name": "EmailAttachmentCount", + "Type": "int" + }, + { + "Name": "EmailAttachmentsPayloads", + "Type": "dynamic" + }, + { + "Name": "EmailLinks", + "Type": "dynamic" + }, + { + "Name": "EmailSenderClientIp", + "Type": "string" + }, + { + "Name": "EmailSenderServerIp", + "Type": "string" + }, + { + "Name": "EmailDkimResults", + "Type": "string" + }, + { + "Name": "EmailDmarcResults", + "Type": "string" + }, + { + "Name": "EmailSpfResults", + "Type": "string" + }, + { + "Name": "EmailSaasSpamVerdict", + "Type": "string" + }, + { + "Name": "EventEventId", + "Type": "string" + }, + { + "Name": "EventCategory", + "Type": "string" + }, + { + "Name": "EventConfidenceIndicator", + "Type": "string" + }, + { + "Name": "EventConfidenceLevel", + "Type": "int" + }, + { + "Name": "EventCurrentState", + "Type": "string" + }, + { + "Name": "EventDescription", + "Type": "string" + }, + { + "Name": "EventPolicyRuleId", + "Type": "int" + }, + { + "Name": "EventAction", + "Type": "string" + }, + { + "Name": "EventProvider", + "Type": "string" + } +] +} \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Analytic Rules/CheckpointHECPhishingNotQuarantined.yaml b/Solutions/Checkpoint Harmony Email and Collaboration/Analytic Rules/CheckpointHECPhishingNotQuarantined.yaml new file mode 100644 index 00000000000..a62b6350563 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Analytic Rules/CheckpointHECPhishingNotQuarantined.yaml @@ -0,0 +1,51 @@ +id: a97e2333-b7de-4c14-9700-e652a1dbef26 +name: Checkpoint - Pending Phishing emails +apiVersion: 2021-09-01-preview +description: This query searches for phishing emails that are pending action +displayName: Checkpoint - Pending Phishing emails +severity: High +enabled: true +query: CheckpointHEC_CL | where EventCurrentState == "new" and EventCategory == "phishing" +queryFrequency: 5m +queryPeriod: 15m +requiredDataConnectors: + - connectorId: CheckpointHECConnection + dataTypes: + - CheckpointHEC_CL +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1566 +suppressionDuration: 5h +suppressionEnabled: false +alertRuleTemplateName: +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: 1d + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert +alertDetailsOverride: +customDetails: + EmailID: EmailEmailId +entityMappings: + - entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: EmailFromEmail + - identifier: NetworkMessageId + columnName: EmailMessageId + - identifier: Subject + columnName: EmailSubject + - entityType: Mailbox + fieldMappings: + - identifier: MailboxPrimaryAddress + columnName: EmailTo +version: 1.0.0 +kind: Scheduled + diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Quarantine/__init__.py b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Quarantine/__init__.py new file mode 100644 index 00000000000..47a01d54ae1 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Quarantine/__init__.py @@ -0,0 +1,52 @@ +import azure.functions as func +import json + +from utils.client import get_brand_client + +SUPPORTED_ACTIONS = ['entityQuarantine', 'eventQuarantine'] +SUPPORTED_BRANDS = ['checkpoint', 'avanan'] +_ACTION = 'quarantine' + +def main(req: func.HttpRequest) -> func.HttpResponse: + try: + body = req.get_json() + except ValueError: + return func.HttpResponse("Invalid JSON", status_code=400) + + brand = body.get('brand') + host = body.get('host') + client_id = body.get('clientId') + client_secret = body.get('clientSecret') + action = body.get('action') + entity_type = body.get('entityType') + entity_ids = body.get('entityIds', []) + + if brand not in SUPPORTED_BRANDS: + return func.HttpResponse(f'Brand {brand} is not one of supported {SUPPORTED_BRANDS}', + status_code=400) + elif action not in SUPPORTED_ACTIONS: + return func.HttpResponse(f'Action {action} is not one of support actions {SUPPORTED_ACTIONS}', + status_code=400) + + client = get_brand_client(brand, host, client_id, client_secret) + if not client: + return func.HttpResponse('Unable to create client for the provided brand/credentials', + status_code=400) + if not client: + return func.HttpResponse(f'No client found for brand {brand}', status_code=400) + + if action == 'entityQuarantine': + if not entity_type: + return func.HttpResponse(f'For entityAction action type, entityType must be specified' + , status_code=400) + args = [entity_ids, entity_type, _ACTION] + _func = client.entity_action + elif action == 'eventQuarantine': + args = [entity_ids, _ACTION] + _func = client.event_action + + try: + res = _func(*args) + return func.HttpResponse(json.dumps(res), status_code=200) + except Exception as e: + return func.HttpResponse(f'Failed to execute action {e}', status_code=500) diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Quarantine/function.json b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Quarantine/function.json new file mode 100644 index 00000000000..c22575e7690 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Quarantine/function.json @@ -0,0 +1,16 @@ +{ + "bindings": [ + { + "authLevel": "function", + "type": "httpTrigger", + "direction": "in", + "name": "req", + "methods": [ "post" ] + }, + { + "type": "http", + "direction": "out", + "name": "$return" + } + ] +} \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Restore/__init__.py b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Restore/__init__.py new file mode 100644 index 00000000000..223ac9c0fe6 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Restore/__init__.py @@ -0,0 +1,51 @@ +import azure.functions as func +import json + +from utils.client import get_brand_client + +SUPPORTED_ACTIONS = ['entityRestore', 'eventRestore'] +SUPPORTED_BRANDS = ['checkpoint', 'avanan'] +_ACTION = 'restore' + +def main(req: func.HttpRequest) -> func.HttpResponse: + try: + body = req.get_json() + except ValueError: + return func.HttpResponse("Invalid JSON", status_code=400) + + brand = body.get('brand') + host = body.get('host') + client_id = body.get('clientId') + client_secret = body.get('clientSecret') + action = body.get('action') + entity_type = body.get('entityType') + entity_ids = body.get('entityIds', []) + + if brand not in SUPPORTED_BRANDS: + return func.HttpResponse(f'Brand {brand} is not one of supported {SUPPORTED_BRANDS}', + status_code=400) + elif action not in SUPPORTED_ACTIONS: + return func.HttpResponse(f'Action {action} is not one of support actions {SUPPORTED_ACTIONS}', + status_code=400) + + client = get_brand_client(brand, host, client_id, client_secret) + if not client: + return func.HttpResponse('Unable to create client for the provided brand/credentials', + status_code=400) + + if action == 'entityRestore': + if not entity_type: + return func.HttpResponse(f'For entityAction action type, entityType must be specified' + , status_code=400) + args = [entity_ids, entity_type, _ACTION] + _func = client.entity_action + elif action == 'eventRestore': + args = [entity_ids, _ACTION] + _func = client.event_action + + try: + res = _func(*args) + return func.HttpResponse(json.dumps(res), status_code=200) + except Exception as e: + return func.HttpResponse(f'Failed to execute action {e}', status_code=500) + diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Restore/function.json b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Restore/function.json new file mode 100644 index 00000000000..c22575e7690 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Restore/function.json @@ -0,0 +1,16 @@ +{ + "bindings": [ + { + "authLevel": "function", + "type": "httpTrigger", + "direction": "in", + "name": "req", + "methods": [ "post" ] + }, + { + "type": "http", + "direction": "out", + "name": "$return" + } + ] +} \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/__init__.py b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/host.json b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/host.json new file mode 100644 index 00000000000..97490a5e048 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/host.json @@ -0,0 +1,18 @@ +{ + "version": "2.0", + "extensions": { + "http": { "routePrefix": "api" } + }, + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[4.*, 5.0.0)" + } +} \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/requirements.txt b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/requirements.txt new file mode 100644 index 00000000000..92786f2643e --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/requirements.txt @@ -0,0 +1,8 @@ +# Uncomment to enable Azure Monitor OpenTelemetry +# Ref: aka.ms/functions-azure-monitor-python +# azure-monitor-opentelemetry + +azure-functions +requests +cached-property +python-jose \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/utils/__init__.py b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/utils/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/utils/client.py b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/utils/client.py new file mode 100644 index 00000000000..5d9c3f6b6aa --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/utils/client.py @@ -0,0 +1,471 @@ +import base64 +import datetime +import hashlib +import time +import uuid +from abc import ABC, abstractmethod +from typing import List +from urllib.parse import urlencode + +import requests +from cached_property import cached_property +from jose import jwt + + +class ApiClientBase(ABC): + def __init__(self, host: str, client_id: str, client_secret: str): + self.host = host + self.client_id = client_id + self.client_secret = client_secret + self.token = None + self.token_expiry = None + self.api_version = 'v1.0' + + @abstractmethod + def get_token(self) -> str: + pass + + @abstractmethod + def headers(self, request_string: str = None, auth: bool = False) -> dict: + pass + + @abstractmethod + def get_path(self, endpoint: str) -> str: + pass + + @abstractmethod + def get_request_string(self, endpoint: str, params: dict = None) -> str: + pass + + def call_api(self, method: str, endpoint: str, params: dict = None, body: dict = None, + headers: dict = None) -> ( + dict): + """ + Perform call to the Avanan Smart API + + :param method: HTTP method - post, get + :param endpoint: API Endpoint + :param params: GET parameters + :param body: JSON Body + :return: Response JSON + """ + headers = headers or self.headers(self.get_request_string(endpoint, params)) + res = requests.request(method, f'https://{self.host}/{self.get_path(endpoint)}', headers=headers, + params=params, json=body, timeout=60) + try: + res.raise_for_status() + + except requests.exceptions.HTTPError as e: + print(f'request exception: status_code[{e.response.status_code}] response[{e.response.content}]') + raise e + + return res.json() + + @staticmethod + def strip_none(payload: dict): + for key, value in dict(payload).items(): + if value is None: + del payload[key] + + def get_scopes(self): + """ + Get list of scopes available for app client (client_id + client_secret) + Scopes are made of 2 values separated by ":", for example, mt-prod-3:customer1 + The first is the farm (internal Avanan designation), the second is your customer name used to access the Avanan + portal (customer1.avanan.net) + + Currently there are 3 production farms, one in each supported region: + US: mt-prod-3 + EU: mt-prod-av-1 + CA: mt-proc-av-ca-2 + + :return: List of scopes as : + """ + return self.call_api('get', 'scopes') + + def get_event(self, event_id: str): + """ + Get single SaaS entity + + :param event_id: Avanan Security Event ID + :return: Security Event + """ + return self.call_api('get', f'event/{event_id}') + + def query_events(self, start_date: str, end_date: str = None, event_types: List[str] = None, + event_states: List[str] = None, severities: List[str] = None, saas: List[str] = None, + description: str = None, event_ids: List[str] = None, scroll_id: str = None, + scopes: List[str] = None): + """ + Query Security Events + + :param start_date: Start date (iso 8601) + :param end_date: End date (iso 8601) + :param event_types: List of event types + :param event_states: List of event states + :param severities: List of severities + :param saas: SaaS Name + :param description: Description + :param event_ids: List of Event ID + :param scroll_id: Scroll ID for pagination + :param scopes: List of scopes as : + :return: Security events + """ + request_data = { + 'scopes': scopes, + 'eventTypes': event_types, + 'eventStates': event_states, + 'severities': severities, + 'startDate': start_date, + 'endDate': end_date, + 'saas': saas, + 'description': description, + 'eventIds': event_ids, + 'scrollId': scroll_id + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'event/query', body=payload) + + def get_entity(self, entity_id: str): + """ + Get single SaaS entity + + :param entity_id: Avanan SaaS Entity ID + :return: Entity + """ + return self.call_api('get', f'search/entity/{entity_id}') + + def query_entities(self, saas: str, start_date: str, end_date: str = None, entity_type: str = None, + extended_filter: List[dict] = None, scroll_id: str = None, scopes: List[str] = None): + """ + Query SaaS entities + + :param saas: SaaS Name + :param start_date: Start date (iso 8601) + :param end_date: End date (iso 8601) + :param entity_type: SaaS Entity Type + :param extended_filter: Extended filters list + :param scroll_id: Scroll ID for pagination + :param scopes: List of scopes as : + :return: Entities + """ + entity_filter = { + 'saas': saas, + 'saasEntity': entity_type, + 'startDate': start_date, + 'endDate': end_date, + } + self.strip_none(entity_filter) + request_data = { + 'scopes': scopes, + 'entityFilter': entity_filter, + 'entityExtendedFilter': extended_filter, + 'scrollId': scroll_id + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'search/query', body=payload) + + def event_action(self, event_ids: List[str], action: str, scope: str = None): + """ + Perform action on the entities associated with a security event + + :param event_ids: List of Event ID + :param action: Action to perform ('quarantine' or 'restore') + :param scope: Single scope (mandatory for multi scope app clients) + :return: Task information + """ + request_data = { + 'scope': scope, + 'eventIds': event_ids, + 'eventActionName': action + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'action/event', body=payload) + + def entity_action(self, entity_ids: List[str], entity_type: str, action: str, scope: str = None, + restore_decline_reason=''): + """ + Enqueues an action on SaaS entity + + :param entity_ids: List of Entity ID + :param entity_type: SaaS Entity Type + :param action: Action to perform ('quarantine' or 'restore') + :param scope: Single scope (mandatory for multi scope app clients) + :return: Task information + """ + request_data = { + 'scope': scope, + 'entityIds': entity_ids, + 'entityType': entity_type, + 'entityActionName': action, + 'restoreDeclineReason': restore_decline_reason + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'action/entity', body=payload) + + def get_task(self, task_id: int, scope: str = None): + """ + Returns the state of actions enqueued with "entity_action". + + :param task_id: Task ID from "Task Information" (returned by the action endpoints) + :param scope: Single scope (mandatory for multi scope app clients) + :return: Updated Task Information + """ + params = {'scope': scope} if scope else None + return self.call_api('get', f'task/{task_id}', params=params) + + def report_mis_classification(self): + """ + Returns the state of actions enqueued with "entity_action". + + :param task_id: Task ID from "Task Information" (returned by the action endpoints) + :param scope: Single scope (mandatory for multi scope app clients) + :return: Updated Task Information + """ + entityIds = ['7f0e023d3e28b3de71beddba9bc1031f'] + classification = 'Clean Email' + confident = 'High Confidence' + _action = { + 'entityIds': entityIds, + 'classification': classification, + 'confident': confident, + } + payload = { + 'requestData': _action + } + # params = {'action': scope} if scope else None + return self.call_api('post', f'report/mis-classification', body=payload) + + def send_email(self, entity_id: str, emails: List[str]): + request_data = { + 'entityId': entity_id, + 'emails': emails, + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'soar/notify', body=payload) + + def get_anonly_exceptions(self): + return self.call_api('get', 'sectools/anomaly/exceptions') + + def get_exceptions(self, exc_type: str, scope: str = None): + """ + Returns list of exception by the type (whitelist/blacklist). + + :param exc_type: Exception type - whitelist/blacklist + :param scope: Single scope (mandatory for multi scope app clients) + """ + params = {'scope': scope} if scope else None + return self.call_api('get', f'exceptions/{exc_type}', params=params) + + def get_exception(self, exc_type: str, exc_id: str, scope: str = None): + """ + Returns a single exception by the type (whitelist/blacklist) and ID. + + :param exc_type: Exception type - whitelist/blacklist + :param exc_id: Exception ID + :param scope: Single scope (mandatory for multi scope app clients) + """ + params = {'scope': scope} if scope else None + return self.call_api('get', f'exceptions/{exc_type}/{exc_id}', params=params) + + def create_exception(self, exc_type: str, exc: dict, scopes: List[str] = None): + """ + Create exception of the type (whitelist/blacklist). + + :param exc_type: Exception type - whitelist/blacklist + :param exc: Exception data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **exc + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', f'exceptions/{exc_type}', body=payload) + + def update_exception(self, exc_type: str, exc_id: str, exc: dict, scopes: List[str] = None): + """ + Returns a single exception by the type (whitelist/blacklist) and ID. + + :param exc_type: Exception type - whitelist/blacklist + :param exc_id: Exception ID + :param exc: Exception data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **exc + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('put', f'exceptions/{exc_type}/{exc_id}', body=payload) + + def delete_exception(self, exc_type: str, exc_id: str, scopes: List[str] = None): + """ + Delete a single exception by the type (whitelist/blacklist) and ID. + + :param exc_type: Exception type - whitelist/blacklist + :param exc_id: Exception ID + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', f'exceptions/{exc_type}/delete/{exc_id}', body=payload) + +class ApiClient(ApiClientBase): + def __init__(self, host: str, client_id: str, client_secret: str): + """ + :param host: API host name + :param client_id: Client ID + :param client_secret: Client Secret + """ + super().__init__(host, client_id, client_secret) + self.token_buffer = 60 + + def generate_signature(self, request_id: str, timestamp: str, request_string: str = None) -> str: + """ + Generate request signature + + :param request_id: Request ID + :param timestamp: Timestamp + :param request_string: Request string + :return: Signature + """ + if request_string: + signature_string = f'{request_id}{self.client_id}{timestamp}{request_string}' \ + f'{self.client_secret}' + else: + signature_string = f'{request_id}{self.client_id}{timestamp}{self.client_secret}' + signature_bytes = signature_string.encode('utf-8') + signature_base64_bytes = base64.b64encode(signature_bytes) + signature_hash = hashlib.sha256(signature_base64_bytes).hexdigest() + return signature_hash + + def headers(self, request_string: str = None, auth: bool = False) -> dict: + """ + Generate request headers + + :param request_string: Request string + :param auth: Is authenticated request + :return: Headers + """ + request_id = str(uuid.uuid4()) + timestamp = datetime.datetime.utcnow().isoformat() + headers = { + 'x-av-req-id': request_id, + 'x-av-app-id': self.client_id, + 'x-av-date': timestamp, + 'x-av-sig': self.generate_signature(request_id, timestamp, request_string) + } + if not auth: + headers['x-av-token'] = self.get_token() + return headers + + def should_refresh_token(self) -> bool: + if not self.token: + return True + + return time.time() + self.token_buffer > self.token_expiry + + @cached_property + def public_key(self) -> dict: + """ + + :return: Public key JSON data (JWK) + """ + res = requests.get(f'https://{self.host}/{self.api_version}/public_key') + res.raise_for_status() + return res.json() + + def get_token(self) -> str: + """ + Perform authentication and returns access token + + :return: Token (JWT) + """ + if not self.should_refresh_token(): + return self.token + + res = requests.get(f'https://{self.host}/{self.api_version}/auth', headers=self.headers(auth=True)) + res.raise_for_status() + self.token = res.content.decode('utf-8') + decoded_token = jwt.decode(self.token, self.public_key) + self.token_expiry = decoded_token['exp'] + return self.token + + def get_path(self, endpoint: str) -> str: + return '/'.join([self.api_version, endpoint]) + + def get_request_string(self, endpoint: str, params: dict = None) -> str: + request_string = f'/{self.api_version}/{endpoint}' + if params: + request_string += f'?{urlencode(params)}' + return request_string + +class CloudInfraApiClient(ApiClientBase): + def _should_refresh_token(self) -> bool: + return not self.token or time.time() >= self.token_expiry + + def get_token(self) -> str: + if self._should_refresh_token(): + payload = { + "clientId": self.client_id, + "accessKey": self.client_secret + } + timestamp = time.time() + + res = requests.post(f'https://{self.host}/auth/external', json=payload) + res.raise_for_status() + data = res.json()['data'] + self.token = data.get('token') + self.token_expiry = timestamp + float(data.get('expiresIn')) + + return self.token + + def headers(self, request_string: str = None, auth: bool = False) -> dict: + request_id = str(uuid.uuid4()) + token = self.get_token() + return { + 'Authorization': f'Bearer {token}', + 'x-av-req-id': request_id, + } + + def get_path(self, endpoint: str) -> str: + return '/'.join(['app', 'hec-api', self.api_version, endpoint]) + + def get_request_string(self, endpoint: str, params: dict = None) -> str: + return '' + +def get_brand_client(brand: str, host, client_id, client_secret): + if brand == 'checkpoint': + client = CloudInfraApiClient(host=host, client_id=client_id, client_secret=client_secret) + elif brand == 'avanan': + client = ApiClient(host=host, client_id=client_id, client_secret=client_secret) + else: + return None + return client \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_DCR.json b/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_DCR.json new file mode 100644 index 00000000000..147863cad19 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_DCR.json @@ -0,0 +1,167 @@ +{ + "name": "CheckpointHECDCR", + "apiVersion": "2023-03-11", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "{{location}}", + "properties": { + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}", + "streamDeclarations": { + "Custom-CheckpointHEC": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "email_raw", + "type": "dynamic" + }, + { + "name": "event_raw", + "type": "dynamic" + }, + { + "name": "EmailEmailId", + "type": "string" + }, + { + "name": "EmailType", + "type": "string" + }, + { + "name": "EmailSubject", + "type": "string" + }, + { + "name": "EmailTo", + "type": "dynamic" + }, + { + "name": "EmailFromEmail", + "type": "string" + }, + { + "name": "EmailFromName", + "type": "string" + }, + { + "name": "EmailBbc", + "type": "dynamic" + }, + { + "name": "EmailCc", + "type": "dynamic" + }, + { + "name": "EmailReplyTo", + "type": "dynamic" + }, + { + "name": "EmailBodyContentType", + "type": "string" + }, + { + "name": "EmailMessageId", + "type": "string" + }, + { + "name": "EmailDirection", + "type": "string" + }, + { + "name": "EmailAttachmentCount", + "type": "int" + }, + { + "name": "EmailAttachmentsPayloads", + "type": "dynamic" + }, + { + "name": "EmailLinks", + "type": "dynamic" + }, + { + "name": "EmailSenderClientIp", + "type": "string" + }, + { + "name": "EmailSenderServerIp", + "type": "string" + }, + { + "name": "EmailDkimResults", + "type": "string" + }, + { + "name": "EmailDmarcResults", + "type": "string" + }, + { + "name": "EmailSpfResults", + "type": "string" + }, + { + "name": "EmailSaasSpamVerdict", + "type": "string" + }, + { + "name": "EventEventId", + "type": "string" + }, + { + "name": "EventCategory", + "type": "string" + }, + { + "name": "EventConfidenceIndicator", + "type": "string" + }, + { + "name": "EventConfidenceLevel", + "type": "int" + }, + { + "name": "EventCurrentState", + "type": "string" + }, + { + "name": "EventDescription", + "type": "string" + }, + { + "name": "EventPolicyRuleId", + "type": "int" + }, + { + "name": "EventAction", + "type": "string" + }, + { + "name": "EventProvider", + "type": "string" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "{{workspaceResourceId}}", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-CheckpointHEC" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source", + "outputStream": "Custom-CheckpointHEC_CL" + } + ] + } +} \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_Definition.json b/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_Definition.json new file mode 100644 index 00000000000..4c046c9907d --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_Definition.json @@ -0,0 +1,86 @@ +{ + "name": "CheckpointHECCCPDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CheckpointHECConnectorDefinition", + "title": "CheckpointHEC_CL On Demand Email Security (via Codeless Connector Platform)", + "publisher": "Checkpoint", + "descriptionMarkdown": "CheckpointHEC_CL Email Security data connector provides the capability to get Check Point security event data", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CheckpointHEC_CL", + "baseQuery": "CheckpointHEC_CL" + } + ], + "sampleQueries": [ + { + "description": "Last CheckpointHEC message Events", + "query": "CheckpointHEC_CL\n | where EventType == 'message'\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "CheckpointHEC_CL", + "lastDataReceivedQuery": "CheckpointHEC_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "Create an Application in Azure AD and create an application secret and key. To be used latest" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "Assign the application created the role Monitoring Metrics Publisher on the DRC created" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + } + } +} \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_PollingConfig.json b/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_PollingConfig.json new file mode 100644 index 00000000000..ede7cec006c --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_PollingConfig.json @@ -0,0 +1,21 @@ +[ + { + "type": "Microsoft.SecurityInsights/dataConnectors", + "apiVersion": "2021-10-01-preview", + "name": "CheckpointHECConnection", + "location": "{{location}}", + "kind": "Push", + "properties": { + "connectorDefinitionName": "CheckpointHECConnectorDefinition", + "auth": { + "type": "None" + }, + "dataType": "CheckpointHEC_CL", + "dcrConfig": { + "streamName": "Custom-CheckpointHEC", + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" + } + } + } +] \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_Table.json b/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_Table.json new file mode 100644 index 00000000000..6ae5dc6bc2a --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Data Connectors/CheckpointHEC_Table.json @@ -0,0 +1,145 @@ +{ + "name": "CheckpointHEC_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2025-02-01", + "location": "{{location}}", + "properties": { + "schema": { + "name": "CheckpointHEC_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "email_raw", + "type": "dynamic" + }, + { + "name": "event_raw", + "type": "dynamic" + }, + { + "name": "EmailEmailId", + "type": "string" + }, + { + "name": "EmailType", + "type": "string" + }, + { + "name": "EmailSubject", + "type": "string" + }, + { + "name": "EmailTo", + "type": "dynamic" + }, + { + "name": "EmailFromEmail", + "type": "string" + }, + { + "name": "EmailFromName", + "type": "string" + }, + { + "name": "EmailBbc", + "type": "dynamic" + }, + { + "name": "EmailCc", + "type": "dynamic" + }, + { + "name": "EmailReplyTo", + "type": "dynamic" + }, + { + "name": "EmailBodyContentType", + "type": "string" + }, + { + "name": "EmailMessageId", + "type": "string" + }, + { + "name": "EmailDirection", + "type": "string" + }, + { + "name": "EmailAttachmentCount", + "type": "int" + }, + { + "name": "EmailAttachmentsPayloads", + "type": "dynamic" + }, + { + "name": "EmailLinks", + "type": "dynamic" + }, + { + "name": "EmailSenderClientIp", + "type": "string" + }, + { + "name": "EmailSenderServerIp", + "type": "string" + }, + { + "name": "EmailDkimResults", + "type": "string" + }, + { + "name": "EmailDmarcResults", + "type": "string" + }, + { + "name": "EmailSpfResults", + "type": "string" + }, + { + "name": "EmailSaasSpamVerdict", + "type": "string" + }, + { + "name": "EventEventId", + "type": "string" + }, + { + "name": "EventCategory", + "type": "string" + }, + { + "name": "EventConfidenceIndicator", + "type": "string" + }, + { + "name": "EventConfidenceLevel", + "type": "int" + }, + { + "name": "EventCurrentState", + "type": "string" + }, + { + "name": "EventDescription", + "type": "string" + }, + { + "name": "EventPolicyRuleId", + "type": "int" + }, + { + "name": "EventAction", + "type": "string" + }, + { + "name": "EventProvider", + "type": "string" + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Data/Solution_Checkpoint HEC.json b/Solutions/Checkpoint Harmony Email and Collaboration/Data/Solution_Checkpoint HEC.json new file mode 100644 index 00000000000..15add6c33e4 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Data/Solution_Checkpoint HEC.json @@ -0,0 +1,27 @@ +{ + "Name": "CheckPoint Harmony Email and Collaboration", + "Author": "Checkpoint - support@checkpoint.com", + "Logo": "", + "Description": "The [Check Point Harmony Email and Collaboration](https://www.checkpoint.com/harmony/email-collaboration/) solution for Microsoft Sentinel enables ingestion of security events from the Check Point Harmony Email and Collaboration API into Microsoft Sentinel using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion-time transformations](https://learn.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) to parse incoming security event data into custom columns, reducing the need for query-time parsing and improving query performance.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/overview)\n\nb. [Microsoft Sentinel Codeless Connector Platform (CCP)](https://learn.microsoft.com/azure/sentinel/create-codeless-connector)\n\nc. [Azure Monitor Logs custom logs and Data Collection Rules (DCR)](https://learn.microsoft.com/azure/azure-monitor/data-collection/data-collection-rule-overview)\n\nd. [Data Collection Rule ingestion-time transformations](https://learn.microsoft.com/azure/azure-monitor/logs/custom-logs-overview)", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Checkpoint Harmony Email and Collaboration", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": false, + "Is1PConnector": false, + "Data Connectors": [ + "Data Connectors/CheckpointHEC_Definition.json" + ], + "Hunting Queries":[ + "Hunting Queries/CheckpointEventPerUser.yaml", + "Hunting Queries/CheckpointEventRecapLastDay.yaml", + "Hunting Queries/CheckpointHighConfidenceSpam.yaml", + "Hunting Queries/CheckpointPhishing.yaml", + "Hunting Queries/CheckpointDLPEvent.yaml" + ], + "Analytic Rules" : [ + "Analytic Rules/CheckpointHECPhishingNotQuarantined.yaml" + ], + "Playbooks":[ + "Playbooks/Quarantine/quarantine.json" + ] +} diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointDLPEvent.yaml b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointDLPEvent.yaml new file mode 100644 index 00000000000..ba6d6b3deba --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointDLPEvent.yaml @@ -0,0 +1,30 @@ +--- +id: 0794a162-8635-43fd-81ed-2cf260457541 +name: DLP Detections +version: 1.0.0 +relevantTechniques: + - T1566 +description: > + Search for DLP detections +requiredDataConnectors: + - connectorId: CheckpointHECConnection + dataTypes: + - CheckpointHEC_CL +tactics: + - InitialAccess +query: | + CheckpointHEC_CL + | where TimeGenerated >= ago(1d) + | where EventCategory == "dlp" + | extend sr = (email_raw).entity_security_result + | mv-expand dlp = sr.dlp + | extend payload = todynamic(dlp.payload) + | mv-expand scan_detail = payload.scan_details + | extend + verdict = tostring(dlp.verdict), + status_description = tostring(dlp.status_description), + hit_count = toint(payload.hit_count), + scan_detail = tostring(scan_detail), + rule = tostring(payload.matches_dlp_rules[0]) + | project TimeGenerated, EmailFromEmail, EmailSubject, EmailMessageId, verdict, status_description, hit_count, scan_detail, rules = payload.matches_dlp_rules + | order by TimeGenerated desc \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointEventPerUser.yaml b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointEventPerUser.yaml new file mode 100644 index 00000000000..9f830555199 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointEventPerUser.yaml @@ -0,0 +1,21 @@ +--- +id: 0794a162-8635-43fd-81ed-2cf260457542 +name: Event breakdown per user +version: 1.0.0 +relevantTechniques: + - T1566 +description: > + Get event breakdown per user +requiredDataConnectors: + - connectorId: CheckpointHECConnection + dataTypes: + - CheckpointHEC_CL +tactics: + - InitialAccess +query: | + CheckpointHEC_CL + | where TimeGenerated >= ago(1d) + | mv-expand User = EmailTo + | extend User = tostring(User) + | summarize Count = count() by User, EventCategory + | evaluate pivot(EventCategory, sum(Count)) diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointEventRecapLastDay.yaml b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointEventRecapLastDay.yaml new file mode 100644 index 00000000000..bef10dd01f7 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointEventRecapLastDay.yaml @@ -0,0 +1,18 @@ +--- +id: 0794a162-8635-43fd-81ed-2cf260457543 +name: Event count last 24 hours +version: 1.0.0 +relevantTechniques: + - T1566 +description: > + Event type count break down +requiredDataConnectors: + - connectorId: CheckpointHECConnection + dataTypes: + - CheckpointHEC_CL +tactics: + - InitialAccess +query: | + CheckpointHEC_CL + | where TimeGenerated >= ago(1d) + | summarize Count = count() by EventCategory diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointHighConfidenceSpam.yaml b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointHighConfidenceSpam.yaml new file mode 100644 index 00000000000..49c29a1b65a --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointHighConfidenceSpam.yaml @@ -0,0 +1,19 @@ +--- +id: 0794a162-8635-43fd-81ed-2cf260457544 +name: Spam emails +version: 1.0.0 +relevantTechniques: + - T1566 +description: > + Search for emails detected as spam +requiredDataConnectors: + - connectorId: CheckpointHECConnection + dataTypes: + - CheckpointHEC_CL +tactics: + - InitialAccess +query: | + CheckpointHEC_CL + | where EventCategory == 'spam' and TimeGenerated >= ago(1d) + | summarize SpamDetections = count() by tostring(EmailFromEmail) + | order by SpamDetections desc \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointPhishing.yaml b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointPhishing.yaml new file mode 100644 index 00000000000..9310085c553 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Hunting Queries/CheckpointPhishing.yaml @@ -0,0 +1,20 @@ +--- +id: 0794a162-8635-43fd-81ed-2cf260457545 +name: Phishing emails per internal user +version: 1.0.0 +relevantTechniques: + - T1566 +description: > + Get phishing email count per user +requiredDataConnectors: + - connectorId: CheckpointHECConnection + dataTypes: + - CheckpointHEC_CL +tactics: + - InitialAccess +query: | + CheckpointHEC_CL + | where EventCategory == 'phishing' and TimeGenerated >= ago(1d) + | mv-expand email = EmailTo + | summarize PhishingDetections = count() by tostring(email) + | order by PhishingDetections desc diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Package/3.0.0.zip b/Solutions/Checkpoint Harmony Email and Collaboration/Package/3.0.0.zip new file mode 100644 index 00000000000..924dd48584a Binary files /dev/null and b/Solutions/Checkpoint Harmony Email and Collaboration/Package/3.0.0.zip differ diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Package/createUiDefinition.json b/Solutions/Checkpoint Harmony Email and Collaboration/Package/createUiDefinition.json new file mode 100644 index 00000000000..e106ab07a67 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Package/createUiDefinition.json @@ -0,0 +1,249 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CheckPoint%20Harmony%20Email%20and%20Collaboration/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Check Point Harmony Email and Collaboration](https://www.checkpoint.com/harmony/email-collaboration/) solution for Microsoft Sentinel enables ingestion of security events from the Check Point Harmony Email and Collaboration API into Microsoft Sentinel using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion-time transformations](https://learn.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) to parse incoming security event data into custom columns, reducing the need for query-time parsing and improving query performance.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/overview)\n\nb. [Microsoft Sentinel Codeless Connector Platform (CCP)](https://learn.microsoft.com/azure/sentinel/create-codeless-connector)\n\nc. [Azure Monitor Logs custom logs and Data Collection Rules (DCR)](https://learn.microsoft.com/azure/azure-monitor/data-collection/data-collection-rule-overview)\n\nd. [Data Collection Rule ingestion-time transformations](https://learn.microsoft.com/azure/azure-monitor/logs/custom-logs-overview)\n\n**Data Connectors:** 1, **Analytic Rules:** 1, **Hunting Queries:** 5, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for CheckpointHEC_CL On Demand Email Security (via Codeless Connector Platform). You can get CheckpointHEC_CL On Demand Email Security (via Codeless Connector Platform) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link1", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Checkpoint - Pending Phishing emails", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query searches for phishing emails that are pending action" + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " + } + }, + { + "name": "huntingqueries-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "Event breakdown per user", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Get event breakdown per user This hunting query depends on CheckpointHECConnection data connector (CheckpointHEC_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "Event count last 24 hours", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Event type count break down This hunting query depends on CheckpointHECConnection data connector (CheckpointHEC_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "Spam emails", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Search for emails detected as spam This hunting query depends on CheckpointHECConnection data connector (CheckpointHEC_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery4", + "type": "Microsoft.Common.Section", + "label": "Phishing emails per internal user", + "elements": [ + { + "name": "huntingquery4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Get phishing email count per user This hunting query depends on CheckpointHECConnection data connector (CheckpointHEC_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery5", + "type": "Microsoft.Common.Section", + "label": "DLP Detections", + "elements": [ + { + "name": "huntingquery5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Search for DLP detections This hunting query depends on CheckpointHECConnection data connector (CheckpointHEC_CL Parser or Table)" + } + } + ] + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Package/mainTemplate.json b/Solutions/Checkpoint Harmony Email and Collaboration/Package/mainTemplate.json new file mode 100644 index 00000000000..7debaf8fd7b --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Package/mainTemplate.json @@ -0,0 +1,1669 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Checkpoint - support@checkpoint.com", + "comments": "Solution template for CheckPoint Harmony Email and Collaboration" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "email": "support@checkpoint.com", + "_email": "[variables('email')]", + "_solutionName": "CheckPoint Harmony Email and Collaboration", + "_solutionVersion": "3.0.0", + "solutionId": "checkpoint.azure-sentinel-checkpoint-hec", + "_solutionId": "[variables('solutionId')]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "3.0.0", + "_dataConnectorContentIdConnectorDefinition1": "CheckpointHECConnectorDefinition", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "CheckpointHECConnectorDefinitionConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "0794a162-8635-43fd-81ed-2cf260457542", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0794a162-8635-43fd-81ed-2cf260457542')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "0794a162-8635-43fd-81ed-2cf260457543", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0794a162-8635-43fd-81ed-2cf260457543')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "0794a162-8635-43fd-81ed-2cf260457544", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0794a162-8635-43fd-81ed-2cf260457544')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "0794a162-8635-43fd-81ed-2cf260457545", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0794a162-8635-43fd-81ed-2cf260457545')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.0", + "_huntingQuerycontentId5": "0794a162-8635-43fd-81ed-2cf260457541", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0794a162-8635-43fd-81ed-2cf260457541')))]" + }, + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "a97e2333-b7de-4c14-9700-e652a1dbef26", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a97e2333-b7de-4c14-9700-e652a1dbef26')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a97e2333-b7de-4c14-9700-e652a1dbef26')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a97e2333-b7de-4c14-9700-e652a1dbef26','-', '1.0.0')))]" + }, + "TemplateEmptyArray": "[json('[]')]", + "playbookVersion1": "1.0", + "playbookContentId1": "Quarantine", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "CheckPoint Harmony Email and Collaboration", + "publisherDisplayName": "Harmony Email and Collaboration", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Check Point Harmony Email and Collaboration solution for Microsoft Sentinel enables ingestion of security events from the Check Point Harmony Email and Collaboration API into Microsoft Sentinel using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based ingestion-time transformations to parse incoming security event data into custom columns, reducing the need for query-time parsing and improving query performance.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Microsoft Sentinel

    \n
    2. \n

  2. Microsoft Sentinel Codeless Connector Platform (CCP)

    \n
    3. \n

  3. Azure Monitor Logs custom logs and Data Collection Rules (DCR)

    \n
    4. \n

  4. Data Collection Rule ingestion-time transformations

    \n
    5. \n
\n

Data Connectors: 1, Analytic Rules: 1, Hunting Queries: 5, Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "CheckPoint Harmony Email and Collaboration", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "email": "EmailSecurity_Support@checkpoint.com", + "tier": "Partner", + "link": "https://supportcenter.checkpoint.com/product/495" + }, + "firstPublishDate": "2025-04-29", + "providers": [ + "Check Point Software" + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "displayName": "CheckpointHEC_CL On Demand Email Security (via Codeless Connector Platform)", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CheckpointHECConnectorDefinition", + "title": "CheckpointHEC_CL On Demand Email Security (via Codeless Connector Platform)", + "publisher": "Checkpoint", + "descriptionMarkdown": "CheckpointHEC_CL Email Security data connector provides the capability to get Check Point security event data", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CheckpointHEC_CL", + "baseQuery": "CheckpointHEC_CL" + } + ], + "sampleQueries": [ + { + "description": "Last CheckpointHEC message Events", + "query": "CheckpointHEC_CL\n | where EventType == 'message'\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "CheckpointHEC_CL", + "lastDataReceivedQuery": "CheckpointHEC_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "Create an Application in Azure AD and create an application secret and key. To be used latest" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "Assign the application created the role Monitoring Metrics Publisher on the DRC created" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "CheckpointHECDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]", + "streamDeclarations": { + "Custom-CheckpointHEC": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "email_raw", + "type": "dynamic" + }, + { + "name": "event_raw", + "type": "dynamic" + }, + { + "name": "EmailEmailId", + "type": "string" + }, + { + "name": "EmailType", + "type": "string" + }, + { + "name": "EmailSubject", + "type": "string" + }, + { + "name": "EmailTo", + "type": "dynamic" + }, + { + "name": "EmailFromEmail", + "type": "string" + }, + { + "name": "EmailFromName", + "type": "string" + }, + { + "name": "EmailBbc", + "type": "dynamic" + }, + { + "name": "EmailCc", + "type": "dynamic" + }, + { + "name": "EmailReplyTo", + "type": "dynamic" + }, + { + "name": "EmailBodyContentType", + "type": "string" + }, + { + "name": "EmailMessageId", + "type": "string" + }, + { + "name": "EmailDirection", + "type": "string" + }, + { + "name": "EmailAttachmentCount", + "type": "int" + }, + { + "name": "EmailAttachmentsPayloads", + "type": "dynamic" + }, + { + "name": "EmailLinks", + "type": "dynamic" + }, + { + "name": "EmailSenderClientIp", + "type": "string" + }, + { + "name": "EmailSenderServerIp", + "type": "string" + }, + { + "name": "EmailDkimResults", + "type": "string" + }, + { + "name": "EmailDmarcResults", + "type": "string" + }, + { + "name": "EmailSpfResults", + "type": "string" + }, + { + "name": "EmailSaasSpamVerdict", + "type": "string" + }, + { + "name": "EventEventId", + "type": "string" + }, + { + "name": "EventCategory", + "type": "string" + }, + { + "name": "EventConfidenceIndicator", + "type": "string" + }, + { + "name": "EventConfidenceLevel", + "type": "int" + }, + { + "name": "EventCurrentState", + "type": "string" + }, + { + "name": "EventDescription", + "type": "string" + }, + { + "name": "EventPolicyRuleId", + "type": "int" + }, + { + "name": "EventAction", + "type": "string" + }, + { + "name": "EventProvider", + "type": "string" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-CheckpointHEC" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source", + "outputStream": "Custom-CheckpointHEC_CL" + } + ] + } + }, + { + "name": "CheckpointHEC_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "CheckpointHEC_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "email_raw", + "type": "dynamic" + }, + { + "name": "event_raw", + "type": "dynamic" + }, + { + "name": "EmailEmailId", + "type": "string" + }, + { + "name": "EmailType", + "type": "string" + }, + { + "name": "EmailSubject", + "type": "string" + }, + { + "name": "EmailTo", + "type": "dynamic" + }, + { + "name": "EmailFromEmail", + "type": "string" + }, + { + "name": "EmailFromName", + "type": "string" + }, + { + "name": "EmailBbc", + "type": "dynamic" + }, + { + "name": "EmailCc", + "type": "dynamic" + }, + { + "name": "EmailReplyTo", + "type": "dynamic" + }, + { + "name": "EmailBodyContentType", + "type": "string" + }, + { + "name": "EmailMessageId", + "type": "string" + }, + { + "name": "EmailDirection", + "type": "string" + }, + { + "name": "EmailAttachmentCount", + "type": "int" + }, + { + "name": "EmailAttachmentsPayloads", + "type": "dynamic" + }, + { + "name": "EmailLinks", + "type": "dynamic" + }, + { + "name": "EmailSenderClientIp", + "type": "string" + }, + { + "name": "EmailSenderServerIp", + "type": "string" + }, + { + "name": "EmailDkimResults", + "type": "string" + }, + { + "name": "EmailDmarcResults", + "type": "string" + }, + { + "name": "EmailSpfResults", + "type": "string" + }, + { + "name": "EmailSaasSpamVerdict", + "type": "string" + }, + { + "name": "EventEventId", + "type": "string" + }, + { + "name": "EventCategory", + "type": "string" + }, + { + "name": "EventConfidenceIndicator", + "type": "string" + }, + { + "name": "EventConfidenceLevel", + "type": "int" + }, + { + "name": "EventCurrentState", + "type": "string" + }, + { + "name": "EventDescription", + "type": "string" + }, + { + "name": "EventPolicyRuleId", + "type": "int" + }, + { + "name": "EventAction", + "type": "string" + }, + { + "name": "EventProvider", + "type": "string" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CheckpointHECConnectorDefinition", + "title": "CheckpointHEC_CL On Demand Email Security (via Codeless Connector Platform)", + "publisher": "Checkpoint", + "descriptionMarkdown": "CheckpointHEC_CL Email Security data connector provides the capability to get Check Point security event data", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CheckpointHEC_CL", + "baseQuery": "CheckpointHEC_CL" + } + ], + "sampleQueries": [ + { + "description": "Last CheckpointHEC message Events", + "query": "CheckpointHEC_CL\n | where EventType == 'message'\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "CheckpointHEC_CL", + "lastDataReceivedQuery": "CheckpointHEC_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "Create an Application in Azure AD and create an application secret and key. To be used latest" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "Assign the application created the role Monitoring Metrics Publisher on the DRC created" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "displayName": "CheckpointHEC_CL On Demand Email Security (via Codeless Connector Platform)", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "guidValue": { + "defaultValue": "[[newGuid()]", + "type": "securestring" + }, + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "auth": { + "type": "object", + "defaultValue": { + "appId": "[[parameters('auth').appId]]", + "servicePrincipalId": "[[parameters('auth').servicePrincipalId]]" + } + }, + "connectorDefinitionName": { + "defaultValue": "CheckpointHEC_CL On Demand Email Security (via Codeless Connector Platform)", + "type": "securestring", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + } + }, + "variables": { + "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + } + } + }, + { + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CheckpointHECConnection', parameters('guidValue'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "Push", + "properties": { + "connectorDefinitionName": "CheckpointHECConnectorDefinition", + "auth": { + "type": "None", + "appId": "[[parameters('auth').appId]", + "servicePrincipalId": "[[parameters('auth').servicePrincipalId]" + }, + "dataType": "CheckpointHEC_CL", + "dcrConfig": { + "streamName": "Custom-CheckpointHEC", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CheckpointEventPerUser_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CheckPoint_Harmony_Email_and_Collaboration_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Event breakdown per user", + "category": "Hunting Queries", + "query": "CheckpointHEC_CL\n| where TimeGenerated >= ago(1d)\n| mv-expand User = EmailTo\n| extend User = tostring(User)\n| summarize Count = count() by User, EventCategory\n| evaluate pivot(EventCategory, sum(Count))\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Get event breakdown per user" + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1566" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", + "properties": { + "description": "CheckPoint Harmony Email and Collaboration Hunting Query 1", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "source": { + "kind": "Solution", + "name": "CheckPoint Harmony Email and Collaboration", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "contentKind": "HuntingQuery", + "displayName": "Event breakdown per user", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CheckpointEventRecapLastDay_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CheckPoint_Harmony_Email_and_Collaboration_Hunting_Query_2", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Event count last 24 hours", + "category": "Hunting Queries", + "query": "CheckpointHEC_CL \n| where TimeGenerated >= ago(1d)\n| summarize Count = count() by EventCategory\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Event type count break down" + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1566" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", + "properties": { + "description": "CheckPoint Harmony Email and Collaboration Hunting Query 2", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "source": { + "kind": "Solution", + "name": "CheckPoint Harmony Email and Collaboration", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "contentKind": "HuntingQuery", + "displayName": "Event count last 24 hours", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CheckpointHighConfidenceSpam_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CheckPoint_Harmony_Email_and_Collaboration_Hunting_Query_3", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Spam emails", + "category": "Hunting Queries", + "query": "CheckpointHEC_CL\n| where EventCategory == 'spam' and TimeGenerated >= ago(1d)\n| summarize SpamDetections = count() by tostring(EmailFromEmail)\n| order by SpamDetections desc\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Search for emails detected as spam" + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1566" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", + "properties": { + "description": "CheckPoint Harmony Email and Collaboration Hunting Query 3", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "source": { + "kind": "Solution", + "name": "CheckPoint Harmony Email and Collaboration", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "contentKind": "HuntingQuery", + "displayName": "Spam emails", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CheckpointPhishing_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CheckPoint_Harmony_Email_and_Collaboration_Hunting_Query_4", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Phishing emails per internal user", + "category": "Hunting Queries", + "query": "CheckpointHEC_CL\n| where EventCategory == 'phishing' and TimeGenerated >= ago(1d)\n| mv-expand email = EmailTo\n| summarize PhishingDetections = count() by tostring(email)\n| order by PhishingDetections desc\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Get phishing email count per user" + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1566" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", + "properties": { + "description": "CheckPoint Harmony Email and Collaboration Hunting Query 4", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", + "source": { + "kind": "Solution", + "name": "CheckPoint Harmony Email and Collaboration", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "contentKind": "HuntingQuery", + "displayName": "Phishing emails per internal user", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CheckpointDLPEvent_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CheckPoint_Harmony_Email_and_Collaboration_Hunting_Query_5", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "DLP Detections", + "category": "Hunting Queries", + "query": "CheckpointHEC_CL\n| where TimeGenerated >= ago(1d)\n| where EventCategory == \"dlp\"\n| extend sr = (email_raw).entity_security_result\n| mv-expand dlp = sr.dlp\n| extend payload = todynamic(dlp.payload)\n| mv-expand scan_detail = payload.scan_details\n| extend\n verdict = tostring(dlp.verdict),\n status_description = tostring(dlp.status_description),\n hit_count = toint(payload.hit_count),\n scan_detail = tostring(scan_detail),\n rule = tostring(payload.matches_dlp_rules[0])\n| project TimeGenerated, EmailFromEmail, EmailSubject, EmailMessageId, verdict, status_description, hit_count, scan_detail, rules = payload.matches_dlp_rules\n| order by TimeGenerated desc\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Search for DLP detections" + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1566" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", + "properties": { + "description": "CheckPoint Harmony Email and Collaboration Hunting Query 5", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", + "source": { + "kind": "Solution", + "name": "CheckPoint Harmony Email and Collaboration", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "contentKind": "HuntingQuery", + "displayName": "DLP Detections", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CheckpointHECPhishingNotQuarantined_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query searches for phishing emails that are pending action", + "displayName": "Checkpoint - Pending Phishing emails", + "enabled": false, + "query": "CheckpointHEC_CL | where EventCurrentState == \"new\" and EventCategory == \"phishing\"", + "queryFrequency": "PT5M", + "queryPeriod": "PT15M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CheckpointHECConnection", + "dataTypes": [ + "CheckpointHEC_CL" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1566" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "columnName": "EmailFromEmail", + "identifier": "Sender" + }, + { + "columnName": "EmailMessageId", + "identifier": "NetworkMessageId" + }, + { + "columnName": "EmailSubject", + "identifier": "Subject" + } + ] + }, + { + "entityType": "Mailbox", + "fieldMappings": [ + { + "columnName": "EmailTo", + "identifier": "MailboxPrimaryAddress" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "EmailID": "EmailEmailId" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "lookbackDuration": "1d", + "enabled": true, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "CheckPoint Harmony Email and Collaboration Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "CheckPoint Harmony Email and Collaboration", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Checkpoint - Pending Phishing emails", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Quarantine-Email Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "type": "String", + "defaultValue": "Quarantine-Email" + }, + "location": { + "type": "String", + "metadata": { + "description": "Location for the Logic App deployment" + } + }, + "functionAppResourceId": { + "type": "String", + "metadata": { + "description": "Resource ID of the Azure Function App (Microsoft.Web/sites/...) that contains the Quarantine function." + } + }, + "sentinelConnectionResourceId": { + "type": "String", + "metadata": { + "description": "Resource ID of the Microsoft Sentinel (azuresentinel) API connection in this resource group." + } + }, + "Host": { + "type": "String" + }, + "ClientID": { + "type": "String" + }, + "ClientSecret": { + "type": "String", + "metadata": { + "description": "Prefer using Key Vault instead of passing secrets via parameters." + } + }, + "Brand": { + "type": "String", + "defaultValue": "checkpoint" + } + }, + "variables": { + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('playbookName')]", + "location": "[[parameters('location')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Host": { + "type": "String" + }, + "ClientID": { + "type": "String" + }, + "ClientSecret": { + "type": "String" + }, + "Brand": { + "type": "String" + }, + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@listCallbackUrl()" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Initialize_processedEmailIds": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "processedEmailIds", + "type": "array", + "value": "[variables('TemplateEmptyArray')]" + } + ] + } + }, + "For_each_alert": { + "type": "Foreach", + "foreach": "@coalesce(triggerBody()?['object']?['properties']?['Alerts'], createArray())", + "runAfter": { + "Initialize_processedEmailIds": [ + "Succeeded" + ] + }, + "actions": { + "Parse_Custom_Details": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_alert')?['properties']?['additionalData']?['Custom Details']", + "schema": { + "type": "object", + "properties": { + "EmailID": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + }, + "For_each_emailId": { + "type": "Foreach", + "foreach": "@coalesce(outputs('Parse_Custom_Details')?['body']?['EmailID'], createArray())", + "runAfter": { + "Parse_Custom_Details": [ + "Succeeded" + ] + }, + "runtimeConfiguration": { + "concurrency": { + "repetitions": 20 + } + }, + "actions": { + "Call_Quarantine_Function": { + "type": "Function", + "inputs": { + "body": { + "brand": "@parameters('Brand')", + "host": "@parameters('Host')", + "clientId": "@parameters('ClientID')", + "clientSecret": "@parameters('ClientSecret')", + "action": "eventQuarantine", + "entityIds": [ + "@items('For_each_emailId')" + ] + }, + "function": { + "id": "[[concat(parameters('functionAppResourceId'), '/functions/Quarantine')]" + } + } + }, + "Append_to_processedEmailIds": { + "type": "AppendToArrayVariable", + "runAfter": { + "Call_Quarantine_Function": [ + "Succeeded" + ] + }, + "inputs": { + "name": "processedEmailIds", + "value": "@items('For_each_emailId')" + } + } + } + } + } + } + } + }, + "parameters": { + "Host": { + "value": "[[parameters('Host')]" + }, + "ClientID": { + "value": "[[parameters('ClientID')]" + }, + "ClientSecret": { + "value": "[[parameters('ClientSecret')]" + }, + "Brand": { + "value": "[[parameters('Brand')]" + }, + "$connections": { + "value": { + "azuresentinel": { + "id": "[[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuresentinel')]", + "connectionId": "[[parameters('sentinelConnectionResourceId')]", + "connectionName": "[[concat('azuresentinel-', parameters('playbookName'))]" + } + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "CheckPoint Harmony Email and Collaboration", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Quarantine-Email", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + } + ], + "outputs": {} +} diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Package/testParameters.json b/Solutions/Checkpoint Harmony Email and Collaboration/Package/testParameters.json new file mode 100644 index 00000000000..554801e41b7 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Package/testParameters.json @@ -0,0 +1,38 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/Playbooks/Quarantine/quarantine.json b/Solutions/Checkpoint Harmony Email and Collaboration/Playbooks/Quarantine/quarantine.json new file mode 100644 index 00000000000..b9099d24b40 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/Playbooks/Quarantine/quarantine.json @@ -0,0 +1,188 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "PlaybookName": { + "type": "String", + "defaultValue": "Quarantine-Email" + }, + "location": { + "type": "String", + "metadata": { + "description": "Location for the Logic App deployment" + } + }, + "functionAppResourceId": { + "type": "String", + "metadata": { + "description": "Resource ID of the Azure Function App (Microsoft.Web/sites/...) that contains the Quarantine function." + } + }, + "sentinelConnectionResourceId": { + "type": "String", + "metadata": { + "description": "Resource ID of the Microsoft Sentinel (azuresentinel) API connection in this resource group." + } + }, + "Host": { "type": "String" }, + "ClientID": { "type": "String" }, + "ClientSecret": { + "type": "String", + "metadata": { + "description": "Prefer using Key Vault instead of passing secrets via parameters." + } + }, + "Brand": { "type": "String", "defaultValue": "checkpoint" } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('playbookName')]", + "location": "[parameters('location')]", + "tags": { + "LogicAppsCategory": "security" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Host": { "type": "String" }, + "ClientID": { "type": "String" }, + "ClientSecret": { "type": "String" }, + "Brand": { "type": "String" }, + "$connections": { "type": "Object", "defaultValue": {} } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@listCallbackUrl()" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Initialize_processedEmailIds": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "processedEmailIds", + "type": "array", + "value": [] + } + ] + } + }, + "For_each_alert": { + "type": "Foreach", + "foreach": "@coalesce(triggerBody()?['object']?['properties']?['Alerts'], createArray())", + "runAfter": { + "Initialize_processedEmailIds": [ + "Succeeded" + ] + }, + "actions": { + "Parse_Custom_Details": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_alert')?['properties']?['additionalData']?['Custom Details']", + "schema": { + "type": "object", + "properties": { + "EmailID": { + "type": "array", + "items": { "type": "string" } + } + } + } + } + }, + "For_each_emailId": { + "type": "Foreach", + "foreach": "@coalesce(outputs('Parse_Custom_Details')?['body']?['EmailID'], createArray())", + "runAfter": { + "Parse_Custom_Details": [ + "Succeeded" + ] + }, + "runtimeConfiguration": { + "concurrency": { "repetitions": 20 } + }, + "actions": { + "Call_Quarantine_Function": { + "type": "Function", + "inputs": { + "body": { + "brand": "@parameters('Brand')", + "host": "@parameters('Host')", + "clientId": "@parameters('ClientID')", + "clientSecret": "@parameters('ClientSecret')", + "action": "eventQuarantine", + "entityIds": [ + "@items('For_each_emailId')" + ] + }, + "function": { + "id": "[concat(parameters('functionAppResourceId'), '/functions/Quarantine')]" + } + } + }, + "Append_to_processedEmailIds": { + "type": "AppendToArrayVariable", + "runAfter": { + "Call_Quarantine_Function": [ + "Succeeded" + ] + }, + "inputs": { + "name": "processedEmailIds", + "value": "@items('For_each_emailId')" + } + } + } + } + } + } + } + }, + "parameters": { + "Host": { "value": "[parameters('Host')]" }, + "ClientID": { "value": "[parameters('ClientID')]" }, + "ClientSecret": { "value": "[parameters('ClientSecret')]" }, + "Brand": { "value": "[parameters('Brand')]" }, + "$connections": { + "value": { + "azuresentinel": { + "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuresentinel')]", + "connectionId": "[parameters('sentinelConnectionResourceId')]", + "connectionName": "[concat('azuresentinel-', parameters('playbookName'))]", + "connectionProperties": {} + } + } + } + } + } + } + ], + "outputs": { + "playbookResourceId": { + "type": "String", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('playbookName'))]" + } + } +} \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/ReleaseNotes.md b/Solutions/Checkpoint Harmony Email and Collaboration/ReleaseNotes.md new file mode 100644 index 00000000000..5dbcd873cca --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|---|---|---| +| 3.0.0 | 11-03-2026 | Initial Solution Release — includes **Data Connector** (CCP/Push), **Analytic Rule**, **Hunting Queries** (5), and **Playbook** (Quarantine) | \ No newline at end of file diff --git a/Solutions/Checkpoint Harmony Email and Collaboration/SolutionMetadata.json b/Solutions/Checkpoint Harmony Email and Collaboration/SolutionMetadata.json new file mode 100644 index 00000000000..de2285c54b6 --- /dev/null +++ b/Solutions/Checkpoint Harmony Email and Collaboration/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "checkpoint", + "offerId": "azure-sentinel-checkpoint-hec", + "firstPublishDate": "2025-04-29", + "providers": ["Check Point Software"], + "categories": { + "domains": ["Security - Threat Intelligence"] + }, + "support": { + "name": "Harmony Email and Collaboration", + "tier": "Partner", + "email": "EmailSecurity_Support@checkpoint.com", + "link": "https://supportcenter.checkpoint.com/product/495" + } +}