Check Point Exposure Management - Fetch Attachments On-Demand
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
On-demand playbook that fetches alert attachments and analysis report for a Sentinel incident, surfacing the results as an incident comment.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Check Point Cyberint Alerts |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
http |
Built-in | 0 | 3 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_attachments_comment | post | /Incidents/Comment |
— |
| Update_incident_tags | put | /Incidents |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Alert_Details | GET | @{parameters('API_Base_URL')}/api/v1/alerts/@{encodeURIComponent(variables('AlertRefId'))} |
— |
| Get_Attachment | GET | @{parameters('API_Base_URL')}/api/v1/alerts/@{encodeURIComponent(variables('AlertRefId'))}/attachments/@{encodeURIComponent(items('For_each_attachment')?['id'])} |
— |
| Get_Analysis_Report | GET | @{parameters('API_Base_URL')}/api/v1/alerts/@{encodeURIComponent(variables('AlertRefId'))}/analysis_report |
— |
Additional Documentation
Summary
On-demand playbook that fetches alert attachments and analysis report for a Sentinel incident. Analysts trigger this manually from the incident Actions menu to retrieve supporting evidence and analysis from Argos.
Flow:
- Calls Check_Point_EM_Base to retrieve API credentials.
- Extracts alert reference IDs from the incident.
- For each alert, fetches the full alert details including attachments list.
- Downloads each attachment and records metadata (name, type, fetch status).
- Fetches the analysis report for the alert.
- Adds a comment with attachment metadata and analysis report content.
- Tags the incident
argos-attachments-fetched.
Prerequisites
- Check_Point_EM_Base playbook must be deployed in the same resource group.
- A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
Deployment
Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Check_Point_EM_FetchAttachments) |
| Check_Point_EM_Base_PlaybookName | No | Name of the base playbook (default: Check_Point_EM_Base) |
Post-Deployment
- Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
- Analysts can run this playbook from the Sentinel incident Actions > Run playbook menu.
Notes
- v1: Attachment metadata and analysis report content are added as incident comments. Actual file storage (e.g., Blob Storage) is planned for v2.
- The playbook handles 302 redirects automatically (Logic App HTTP action follows redirects by default).
- If individual attachments fail to download, the playbook continues with remaining attachments and reports per-item status.
API Endpoints Used
| Action | Endpoint |
|---|---|
| Get alert details | GET /api/v1/alerts/{alert_ref_id} |
| Get attachment | GET /api/v1/alerts/{alert_ref_id}/attachments/{attachment_id} |
| Get analysis report | GET /api/v1/alerts/{alert_ref_id}/analysis_report |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊