Check Point Exposure Management - Exporter (Sentinel → Argos)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
When a Sentinel incident status changes, this playbook pushes the update to the corresponding alert(s). Includes tag-based loop prevention to avoid circular sync with Importer.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Check Point Cyberint Alerts |
| Source | View on GitHub |
Additional Documentation
📄 Source: Sync/CPEM_OutboundSync/readme.md
Summary
When a Microsoft Sentinel incident status changes, this playbook pushes the update to the corresponding alert(s). It maps Sentinel incident status and close classification to alert status and closure reason. Includes tag-based loop prevention to avoid circular sync with the Importer playbook.
Flow:
1. Calls Check_Point_EM_Base to retrieve API credentials.
2. Checks for loop prevention tag (argos-importer-synced) — skips if present.
3. Verifies this is an incident update (not creation) and that the Status field changed.
4. Maps Sentinel status → Argos status (Active → open, Closed → closed + closure reason).
5. For each linked alert, sends HTTP PUT to update the alert status.
6. Adds a sync result comment and tags the incident argos-exporter-synced.
Prerequisites
- Check_Point_EM_Base playbook must be deployed in the same resource group.
- A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
Deployment
Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Check_Point_EM_Exporter) |
| Check_Point_EM_Base_PlaybookName | No | Name of the base playbook (default: Check_Point_EM_Base) |
Post-Deployment
- Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
- Configure an automation rule in Microsoft Sentinel to trigger this playbook on incident status changes.
Status Mapping
| Sentinel Status | Sentinel Classification | Argos Status | Argos Closure Reason |
|---|---|---|---|
| Active | — | open |
— |
| Closed | True Positive | closed |
resolved |
| Closed | False Positive | closed |
false_positive |
| Closed | Benign Positive | closed |
no_longer_a_threat |
| Closed | Undetermined | closed |
other |
Loop Prevention
This playbook checks for the argos-importer-synced tag before syncing. If the tag is present (set by Importer), the playbook skips the update to prevent circular sync loops.
API Endpoints Used
| Action | Endpoint |
|---|---|
| Update alert status | PUT /api/v1/alerts/{alert_ref_id} |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊