Check Point Exposure Management - Phishing Takedown
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a new Microsoft Sentinel incident is created for a phishing website alert, this playbook extracts the phishing URL, evaluates confidence and severity thresholds, submits a takedown request to Check Point Exposure Management, and tracks the takedown status back to the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Check Point Cyberint Alerts |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 4 |
http |
Built-in | 0 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_enrichment_comment | post | /Incidents/Comment |
— |
| Add_takedown_comment | post | /Incidents/Comment |
— |
| Update_incident_tags | put | /Incidents |
— |
| Add_below_threshold_comment | post | /Incidents/Comment |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Alert_Details | GET | @{parameters('API_Base_URL')}/api/v1/alerts/@{encodeURIComponent(variables('AlertRefId'))} |
— |
| Submit_Takedown_Request | POST | @{parameters('API_Base_URL')}/api/v1/submit |
— |
Additional Documentation
📄 Source: Response/CPEM_PhishingTakedown/readme.md
Summary
When a new Microsoft Sentinel incident is created for a phishing website alert, this playbook extracts the phishing URL from the alert, evaluates confidence and severity thresholds, and either auto-submits a takedown request or flags the incident for manual review.
Flow:
- Calls Check_Point_EM_Base to retrieve API credentials.
- Extracts the alert reference ID from the incident.
- Fetches full alert details via
GET /api/v1/alerts/{ref_id}and enriches the incident comment with phishing site metadata (URL, A record, registrar, detection reasons, SSL, password field). - If alert confidence meets the configured threshold, submits a takedown request via
POST /api/v1/submitand tags the incidenttakedown-requested. - If below threshold, adds a comment recommending manual review.
Prerequisites
- Check_Point_EM_Base playbook must be deployed in the same resource group.
- A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
- Sentinel analytic rules that create incidents from Argos phishing website alerts with
ref_idin custom details.
Deployment
Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Check_Point_EM_PhishingTakedown) |
| Check_Point_EM_Base_PlaybookName | No | Name of the base playbook (default: Check_Point_EM_Base) |
| MinConfidenceForAutoTakedown | No | Minimum confidence score (0-100) for auto-takedown (default: 80) |
| MinSeverityForAutoTakedown | No | Minimum Argos severity for auto-takedown (default: high) |
Post-Deployment
- Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
- Configure an automation rule in Microsoft Sentinel to trigger this playbook on phishing website incidents.
- Monitor the
takedown-requestedtag on incidents to track takedown progress.
API Endpoints Used
| Action | Endpoint |
|---|---|
| Get alert details | GET /api/v1/alerts/{alert_ref_id} |
| Submit takedown | POST /api/v1/submit |
| Check takedown status | POST /api/v1/submit (filter by alert_id) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊