Check Point Exposure Management - Credential Leak Validation and Response
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a new Microsoft Sentinel incident is created for leaked credentials, this playbook queries the Check Point Exposure Management credential leak API for the affected domain, enriches the incident with exposed credential details, and adds results as an incident comment.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Check Point Cyberint Alerts |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Add_comment_to_incident | post | /Incidents/Comment |
— |
| Update_incident_severity | put | /Incidents |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Query_Leaked_Credentials | POST | @{parameters('API_Base_URL')}/by_domain/ |
— |
Additional Documentation
Summary
When a new Microsoft Sentinel incident is created for leaked credentials, this playbook queries the Check Point Exposure Management credential leak API for the affected company domain, enriches the incident with exposed credential details, and escalates severity when the leak volume is high.
Flow:
- Calls Check_Point_EM_Base to retrieve API credentials.
- Extracts account entities from the Sentinel incident.
- Queries
POST /by_domain/for leaked credentials matching the configured company domain. - Adds a comment listing each exposed credential (email, source, last seen).
- If more than 10 credentials are found, escalates incident severity to High.
Prerequisites
- Check_Point_EM_Base playbook must be deployed in the same resource group.
- A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
Deployment
Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Check_Point_EM_CredentialLeakResponse) |
| Check_Point_EM_Base_PlaybookName | No | Name of the base playbook (default: Check_Point_EM_Base) |
| CompanyDomain | Yes | Primary company domain to check for leaked credentials (e.g., example.com) |
Post-Deployment
- Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
- Configure an automation rule in Microsoft Sentinel to trigger this playbook on credential leak incidents.
- Optionally integrate with your Identity Provider (Entra ID, Okta) to automate password resets for exposed accounts.
API Endpoints Used
| Action | Endpoint |
|---|---|
| Query leaked credentials | POST /by_domain/ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊