Check Point Exposure Management - Manual Status Update (Sentinel → Argos)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
On-demand playbook that reads the current Sentinel incident status and pushes it to the corresponding alert(s). Triggered manually from the incident actions menu.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Check Point Cyberint Alerts |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_sync_comment | post | /Incidents/Comment |
— |
| Update_incident_tags | put | /Incidents |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Update_Argos_Alert_Status | PUT | @{parameters('API_Base_URL')}/api/v1/alerts/@{encodeURIComponent(variables('AlertRefId'))} |
— |
Additional Documentation
📄 Source: Sync/CPEM_ManualStatusUpdate/readme.md
Summary
On-demand playbook that reads the current Sentinel incident status and pushes it to the corresponding alert(s). Analysts trigger this manually from the incident Actions menu when they want to explicitly sync status to Argos.
Flow:
- Calls Check_Point_EM_Base to retrieve API credentials.
- Reads the current incident status and close classification.
- Maps Sentinel status → Argos status and closure reason.
- For each linked alert, sends HTTP PUT to update the alert status.
- Adds a sync result comment and tags the incident
argos-manual-synced.
Prerequisites
- Check_Point_EM_Base playbook must be deployed in the same resource group.
- A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
Deployment
Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Check_Point_EM_ManualStatusUpdate) |
| Check_Point_EM_Base_PlaybookName | No | Name of the base playbook (default: Check_Point_EM_Base) |
Post-Deployment
- Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
- Analysts can run this playbook from the Sentinel incident Actions > Run playbook menu.
Status Mapping
| Sentinel Status | Sentinel Classification | Argos Status | Argos Closure Reason |
|---|---|---|---|
| Active | — | open |
— |
| Closed | True Positive | closed |
resolved |
| Closed | False Positive | closed |
false_positive |
| Closed | Benign Positive | closed |
no_longer_a_threat |
| Closed | Undetermined | closed |
other |
API Endpoints Used
| Action | Endpoint |
|---|---|
| Update alert status | PUT /api/v1/alerts/{alert_ref_id} |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊