Check Point Exposure Management - Vulnerability Exploitation Monitoring

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

When a new Microsoft Sentinel incident is created containing CVE identifiers, this playbook enriches each CVE using the Check Point CVE Intelligence API (EPSS, CPEM score, exploitation evidence, PoC availability) and adds results as an incident comment.

Attribute Value
Type Playbook
Solution Check Point Cyberint Alerts
Source View on GitHub

Additional Documentation

📄 Source: Response/CPEM_VulnerabilityMonitoring/readme.md

Summary

When a new Microsoft Sentinel incident is created containing CVE identifiers, this playbook enriches each CVE using the Check Point CVE Intelligence API and adds enrichment results (EPSS, CPEM score, CVSS, CWE, PoC availability, exploitation evidence) as an incident comment. If any CVE exceeds the configured score threshold, the incident severity is escalated.

Flow: 1. Calls Check_Point_EM_Base to retrieve API credentials. 2. Extracts CVE identifiers (e.g., CVE-2024-1234) from the incident description. 3. For each CVE, queries GET /cve-intel/get_enriched_cve/{cve_id}. 4. Adds a comment with enrichment details per CVE. 5. If the maximum CPEM CVE score exceeds the threshold, escalates incident severity to High and tags the incident.

Prerequisites

  1. Check_Point_EM_Base playbook must be deployed in the same resource group.
  2. A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
  3. Sentinel analytic rules that include CVE IDs in the incident description or custom details.

Deployment

Deploy to Azure

Parameters

Parameter Required Description
PlaybookName No Name of the Logic App (default: Check_Point_EM_VulnerabilityMonitoring)
Check_Point_EM_Base_PlaybookName No Name of the base playbook (default: Check_Point_EM_Base)
SeverityEscalationThreshold No CPEM CVE score threshold for escalation (default: 7.0)

Post-Deployment

  1. Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
  2. Configure an automation rule in Microsoft Sentinel to trigger this playbook on vulnerability-related incidents.

API Endpoints Used

Action Endpoint
CVE Enrichment GET /cve-intel/get_enriched_cve/{cve_id}

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to Check Point Cyberint Alerts