Check Point EM - Importer (Alerts → Sentinel Incidents)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Queries the argsentdc_CL custom table (populated by the CCP data connector) for recent alerts and creates corresponding Microsoft Sentinel incidents.

Attribute	Value
Type	Playbook
Solution	Check Point Cyberint Alerts
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`argsentdc_CL`		✓	✓	✓

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuremonitorlogs`	Managed	1	1
`azuresentinel`	Managed	1	2

Action parameters (URLs, paths, function IDs)

`azuremonitorlogs` (Managed)

Action	Method	Endpoint	Other
Run_KQL_Query	post	`/queryData`	—

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Create_incident	put	`[concat('/Incidents/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/workspaces/', parameters('Workspace_Name'))]`	—
Add_comment_to_incident	post	`/Incidents/Comment`	—

Additional Documentation

📄 Source: Sync/CPEM_InboundSync/readme.md

Check Point Exposure Management - Importer (Argos Status Changes → Sentinel)

Summary

This playbook polls Argos for recently modified alerts and writes updated records to the argsentdc_CL custom Log Analytics table. It complements the CCP data connector which only ingests new alerts (using created_date). The Importer catches status changes, closures, and other alert updates using the modification_date filter.

Flow:

Runs on a configurable recurrence interval (default: 10 minutes).
Calls Check_Point_EM_Base to retrieve API credentials.
Calculates the polling time window (last N minutes) as Unix timestamps.
Polls alerts API with modification_date filter.
For each modified alert, writes the updated record to the custom table via the Data Collection API.
Tracks success/error counts per run.

Prerequisites

Check_Point_EM_Base playbook must be deployed in the same resource group.
A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
The CCP data connector must be deployed (provides the Data Collection Endpoint and Data Collection Rule).

Deployment

Parameters

Parameter	Required	Description
PlaybookName	No	Name of the Logic App (default: `Check_Point_EM_Importer`)
Check_Point_EM_Base_PlaybookName	No	Name of the base playbook (default: `Check_Point_EM_Base`)
PollingIntervalMinutes	No	Poll interval in minutes (default: `10`)
DataCollectionEndpoint	Yes	DCE URL from the CCP connector deployment
DataCollectionRuleImmutableId	Yes	DCR immutable ID from the CCP connector deployment

Post-Deployment

The ARM template automatically assigns the Monitoring Metrics Publisher role to the Logic App's Managed Identity.
Verify the Recurrence trigger is running at the configured interval in the Logic App run history.

Deduplication

If the same alert appears in both the CCP connector (new) and Importer (modified) within the same window, the table will have two rows with the same ref_id. This is expected — analytics rules should use arg_max(TimeGenerated, *) by ref_id to get the latest state.

Error Handling

HTTP requests use exponential backoff retry policy (3 retries) for 429/5xx errors.
Per-record errors are counted but don't block remaining records.
Success and error counts are tracked per run for monitoring via Logic App run history.

API Endpoints Used

Action	Endpoint
Poll modified alerts	`POST {ArgosBaseUrl}` with `modification_date` filter
Write to custom table	`POST {DCE}/dataCollectionRules/{dcr_id}/streams/Custom-argsentdc_CL`