Check Point Exposure Management - Exporter (Sentinel → Argos)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a Sentinel incident status changes, this playbook pushes the update to the corresponding alert(s). Includes tag-based loop prevention to avoid circular sync with Importer.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Check Point Cyberint Alerts |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_sync_comment | post | /Incidents/Comment |
— |
| Update_incident_tags | put | /Incidents |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Update_Argos_Alert_Status | PUT | @{parameters('API_Base_URL')}/api/v1/alerts/@{encodeURIComponent(variables('AlertRefId'))} |
— |
Additional Documentation
📄 Source: Sync/CPEM_OutboundSync/readme.md
Summary
When a Microsoft Sentinel incident status changes, this playbook pushes the update to the corresponding alert(s). It maps Sentinel incident status and close classification to alert status and closure reason. Includes tag-based loop prevention to avoid circular sync with the Importer playbook.
Flow:
- Calls Check_Point_EM_Base to retrieve API credentials.
- Checks for loop prevention tag (
argos-importer-synced) — skips if present. - Verifies this is an incident update (not creation) and that the Status field changed.
- Maps Sentinel status → Argos status (
Active→open,Closed→closed+ closure reason). - For each linked alert, sends HTTP PUT to update the alert status.
- Adds a sync result comment and tags the incident
argos-exporter-synced.
Prerequisites
- Check_Point_EM_Base playbook must be deployed in the same resource group.
- A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
Deployment
Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Check_Point_EM_Exporter) |
| Check_Point_EM_Base_PlaybookName | No | Name of the base playbook (default: Check_Point_EM_Base) |
Post-Deployment
- Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
- Configure an automation rule in Microsoft Sentinel to trigger this playbook on incident status changes.
Status Mapping
| Sentinel Status | Sentinel Classification | Argos Status | Argos Closure Reason |
|---|---|---|---|
| Active | — | open |
— |
| Closed | True Positive | closed |
resolved |
| Closed | False Positive | closed |
false_positive |
| Closed | Benign Positive | closed |
no_longer_a_threat |
| Closed | Undetermined | closed |
other |
Loop Prevention
This playbook checks for the argos-importer-synced tag before syncing. If the tag is present (set by Importer), the playbook skips the update to prevent circular sync loops.
API Endpoints Used
| Action | Endpoint |
|---|---|
| Update alert status | PUT /api/v1/alerts/{alert_ref_id} |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊