-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Init Checkpoint HEC SOAR content hub #13680
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
chkp-arvidb
wants to merge
11
commits into
Azure:master
Choose a base branch
from
CheckPointSW:checkpoint-hec-soar
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
3178ae7
Init Checkpoint HEC SOAR content hub
chkp-arvidb 823fa2c
Update test, fix unreferenced variable
chkp-arvidb 0ce2054
update analytic rule required data connector
chkp-arvidb 95b65ca
bump version to 3.0.0 and add release notes
chkp-arvidb 84404e9
Merge branch 'Azure:master' into checkpoint-hec-soar
chkp-arvidb 449923e
Update main and UI definition
chkp-arvidb de40b53
Merge remote-tracking branch 'origin/checkpoint-hec-soar' into checkp…
chkp-arvidb 304c60f
Merge branch 'Azure:master' into checkpoint-hec-soar
chkp-arvidb 4328daf
Update main and UI definition v2
chkp-arvidb 7bbd1ce
Validation fix
chkp-arvidb b59063c
Validation fix 2
chkp-arvidb File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
137 changes: 137 additions & 0 deletions
137
.script/tests/KqlvalidationsTests/CustomTables/CheckpointHEC_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| { | ||
| "Name": "CheckpointHEC_CL", | ||
| "Properties": [ | ||
| { | ||
| "Name": "TimeGenerated", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "email_raw", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "event_raw", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "EmailEmailId", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailType", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailSubject", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailTo", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "EmailFromEmail", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailFromName", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailBbc", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "EmailCc", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "EmailReplyTo", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "EmailBodyContentType", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailMessageId", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailDirection", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailAttachmentCount", | ||
| "Type": "int" | ||
| }, | ||
| { | ||
| "Name": "EmailAttachmentsPayloads", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "EmailLinks", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "EmailSenderClientIp", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailSenderServerIp", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailDkimResults", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailDmarcResults", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailSpfResults", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EmailSaasSpamVerdict", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EventEventId", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EventCategory", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EventConfidenceIndicator", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EventConfidenceLevel", | ||
| "Type": "int" | ||
| }, | ||
| { | ||
| "Name": "EventCurrentState", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EventDescription", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EventPolicyRuleId", | ||
| "Type": "int" | ||
| }, | ||
| { | ||
| "Name": "EventAction", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "EventProvider", | ||
| "Type": "string" | ||
| } | ||
| ] | ||
| } |
51 changes: 51 additions & 0 deletions
51
...t Harmony Email and Collaboration/Analytic Rules/CheckpointHECPhishingNotQuarantined.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| id: a97e2333-b7de-4c14-9700-e652a1dbef26 | ||
| name: Checkpoint - Pending Phishing emails | ||
| apiVersion: 2021-09-01-preview | ||
| description: This query searches for phishing emails that are pending action | ||
| displayName: Checkpoint - Pending Phishing emails | ||
| severity: High | ||
| enabled: true | ||
| query: CheckpointHEC_CL | where EventCurrentState == "new" and EventCategory == "phishing" | ||
| queryFrequency: 5m | ||
| queryPeriod: 15m | ||
| requiredDataConnectors: | ||
| - connectorId: CheckpointHECConnection | ||
| dataTypes: | ||
| - CheckpointHEC_CL | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1566 | ||
| suppressionDuration: 5h | ||
| suppressionEnabled: false | ||
| alertRuleTemplateName: | ||
| incidentConfiguration: | ||
| createIncident: true | ||
| groupingConfiguration: | ||
| enabled: true | ||
| reopenClosedIncident: false | ||
| lookbackDuration: 1d | ||
| matchingMethod: AllEntities | ||
| eventGroupingSettings: | ||
| aggregationKind: SingleAlert | ||
| alertDetailsOverride: | ||
| customDetails: | ||
| EmailID: EmailEmailId | ||
| entityMappings: | ||
| - entityType: MailMessage | ||
| fieldMappings: | ||
| - identifier: Sender | ||
| columnName: EmailFromEmail | ||
| - identifier: NetworkMessageId | ||
| columnName: EmailMessageId | ||
| - identifier: Subject | ||
| columnName: EmailSubject | ||
| - entityType: Mailbox | ||
| fieldMappings: | ||
| - identifier: MailboxPrimaryAddress | ||
| columnName: EmailTo | ||
| version: 1.0.0 | ||
| kind: Scheduled | ||
|
|
52 changes: 52 additions & 0 deletions
52
Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Quarantine/__init__.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| import azure.functions as func | ||
| import json | ||
|
|
||
| from utils.client import get_brand_client | ||
|
|
||
| SUPPORTED_ACTIONS = ['entityQuarantine', 'eventQuarantine'] | ||
| SUPPORTED_BRANDS = ['checkpoint', 'avanan'] | ||
| _ACTION = 'quarantine' | ||
|
|
||
| def main(req: func.HttpRequest) -> func.HttpResponse: | ||
| try: | ||
| body = req.get_json() | ||
| except ValueError: | ||
| return func.HttpResponse("Invalid JSON", status_code=400) | ||
|
|
||
| brand = body.get('brand') | ||
| host = body.get('host') | ||
| client_id = body.get('clientId') | ||
| client_secret = body.get('clientSecret') | ||
| action = body.get('action') | ||
| entity_type = body.get('entityType') | ||
| entity_ids = body.get('entityIds', []) | ||
|
|
||
| if brand not in SUPPORTED_BRANDS: | ||
| return func.HttpResponse(f'Brand {brand} is not one of supported {SUPPORTED_BRANDS}', | ||
| status_code=400) | ||
| elif action not in SUPPORTED_ACTIONS: | ||
| return func.HttpResponse(f'Action {action} is not one of support actions {SUPPORTED_ACTIONS}', | ||
| status_code=400) | ||
|
|
||
| client = get_brand_client(brand, host, client_id, client_secret) | ||
| if not client: | ||
| return func.HttpResponse('Unable to create client for the provided brand/credentials', | ||
| status_code=400) | ||
| if not client: | ||
| return func.HttpResponse(f'No client found for brand {brand}', status_code=400) | ||
|
|
||
| if action == 'entityQuarantine': | ||
| if not entity_type: | ||
| return func.HttpResponse(f'For entityAction action type, entityType must be specified' | ||
| , status_code=400) | ||
| args = [entity_ids, entity_type, _ACTION] | ||
| _func = client.entity_action | ||
| elif action == 'eventQuarantine': | ||
| args = [entity_ids, _ACTION] | ||
| _func = client.event_action | ||
|
|
||
| try: | ||
| res = _func(*args) | ||
| return func.HttpResponse(json.dumps(res), status_code=200) | ||
| except Exception as e: | ||
| return func.HttpResponse(f'Failed to execute action {e}', status_code=500) |
16 changes: 16 additions & 0 deletions
16
Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Quarantine/function.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "bindings": [ | ||
| { | ||
| "authLevel": "function", | ||
| "type": "httpTrigger", | ||
| "direction": "in", | ||
| "name": "req", | ||
| "methods": [ "post" ] | ||
| }, | ||
| { | ||
| "type": "http", | ||
| "direction": "out", | ||
| "name": "$return" | ||
| } | ||
| ] | ||
| } |
51 changes: 51 additions & 0 deletions
51
Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Restore/__init__.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| import azure.functions as func | ||
| import json | ||
|
|
||
| from utils.client import get_brand_client | ||
|
|
||
| SUPPORTED_ACTIONS = ['entityRestore', 'eventRestore'] | ||
| SUPPORTED_BRANDS = ['checkpoint', 'avanan'] | ||
| _ACTION = 'restore' | ||
|
|
||
| def main(req: func.HttpRequest) -> func.HttpResponse: | ||
| try: | ||
| body = req.get_json() | ||
| except ValueError: | ||
| return func.HttpResponse("Invalid JSON", status_code=400) | ||
|
|
||
| brand = body.get('brand') | ||
| host = body.get('host') | ||
| client_id = body.get('clientId') | ||
| client_secret = body.get('clientSecret') | ||
| action = body.get('action') | ||
| entity_type = body.get('entityType') | ||
| entity_ids = body.get('entityIds', []) | ||
|
|
||
| if brand not in SUPPORTED_BRANDS: | ||
| return func.HttpResponse(f'Brand {brand} is not one of supported {SUPPORTED_BRANDS}', | ||
| status_code=400) | ||
| elif action not in SUPPORTED_ACTIONS: | ||
| return func.HttpResponse(f'Action {action} is not one of support actions {SUPPORTED_ACTIONS}', | ||
| status_code=400) | ||
|
|
||
| client = get_brand_client(brand, host, client_id, client_secret) | ||
| if not client: | ||
| return func.HttpResponse('Unable to create client for the provided brand/credentials', | ||
| status_code=400) | ||
|
|
||
| if action == 'entityRestore': | ||
| if not entity_type: | ||
| return func.HttpResponse(f'For entityAction action type, entityType must be specified' | ||
| , status_code=400) | ||
| args = [entity_ids, entity_type, _ACTION] | ||
| _func = client.entity_action | ||
| elif action == 'eventRestore': | ||
| args = [entity_ids, _ACTION] | ||
| _func = client.event_action | ||
|
|
||
| try: | ||
| res = _func(*args) | ||
|
chkp-arvidb marked this conversation as resolved.
|
||
| return func.HttpResponse(json.dumps(res), status_code=200) | ||
| except Exception as e: | ||
| return func.HttpResponse(f'Failed to execute action {e}', status_code=500) | ||
|
|
||
16 changes: 16 additions & 0 deletions
16
Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/Restore/function.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "bindings": [ | ||
| { | ||
| "authLevel": "function", | ||
| "type": "httpTrigger", | ||
| "direction": "in", | ||
| "name": "req", | ||
| "methods": [ "post" ] | ||
| }, | ||
| { | ||
| "type": "http", | ||
| "direction": "out", | ||
| "name": "$return" | ||
| } | ||
| ] | ||
| } |
Empty file.
18 changes: 18 additions & 0 deletions
18
Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/host.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| { | ||
| "version": "2.0", | ||
| "extensions": { | ||
| "http": { "routePrefix": "api" } | ||
| }, | ||
| "logging": { | ||
| "applicationInsights": { | ||
| "samplingSettings": { | ||
| "isEnabled": true, | ||
| "excludedTypes": "Request" | ||
| } | ||
| } | ||
| }, | ||
| "extensionBundle": { | ||
| "id": "Microsoft.Azure.Functions.ExtensionBundle", | ||
| "version": "[4.*, 5.0.0)" | ||
| } | ||
| } |
8 changes: 8 additions & 0 deletions
8
Solutions/Checkpoint Harmony Email and Collaboration/AzureFunctions/requirements.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Uncomment to enable Azure Monitor OpenTelemetry | ||
| # Ref: aka.ms/functions-azure-monitor-python | ||
| # azure-monitor-opentelemetry | ||
|
|
||
| azure-functions | ||
| requests | ||
| cached-property | ||
| python-jose |
Empty file.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.