Check Point Exposure Management - IOC Enrichment and Triage
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a new Microsoft Sentinel incident is created, this playbook enriches IOC entities (IPs, domains, file hashes, URLs) using the Check Point Exposure Management threat intelligence API and adds enrichment results as an incident comment.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Check Point Cyberint Alerts |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 5 |
http |
Built-in | 0 | 4 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Entities_-_Get_FileHashes | post | /entities/filehash |
— |
| Entities_-_Get_DNS | post | /entities/dnsresolution |
— |
| Entities_-_Get_URLs | post | /entities/url |
— |
| Add_comment_to_incident | post | /Incidents/Comment |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Enrich_IP | GET | @{parameters('API_Base_URL')}/api/v1/file/ipv4/@{encodeURIComponent(items('For_each_IP')?['Address'])} |
— |
| Enrich_FileHash | GET | @{parameters('API_Base_URL')}/api/v1/file/sha256/@{encodeURIComponent(items('For_each_FileHash')?['Value'])} |
— |
| Enrich_Domain | GET | @{parameters('API_Base_URL')}/api/v1/file/domain/@{encodeURIComponent(items('For_each_Domain')?['DomainName'])} |
— |
| Enrich_URL | GET | @{parameters('API_Base_URL')}/api/v1/file/url |
— |
Additional Documentation
📄 Source: Enrichment/CPEM_IOCEnrichment/readme.md
Summary
When a new Microsoft Sentinel incident is created, this playbook automatically enriches IOC entities (IPs, domains, file hashes, URLs) using the Check Point Exposure Management threat intelligence API and adds the enrichment results as an incident comment.
Flow:
- Extracts IP, FileHash, DNS, and URL entities from the Sentinel incident.
- Calls Check_Point_EM_Base to retrieve API credentials.
- For each entity, queries the appropriate Check Point Exposure Management IOC enrichment endpoint.
- Appends enrichment details (verdict, confidence, malware family, actor attribution) as an incident comment.
Prerequisites
- Check_Point_EM_Base playbook must be deployed in the same resource group.
- A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
Deployment
Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Check_Point_EM_IOCEnrichment) |
| Check_Point_EM_Base_PlaybookName | No | Name of the base playbook (default: Check_Point_EM_Base) |
Post-Deployment
- Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
- Configure an automation rule in Microsoft Sentinel to trigger this playbook on incident creation.
API Endpoints Used
| Entity Type | Endpoint |
|---|---|
| IPv4 | GET /api/v1/file/ipv4/{ip} |
| SHA256 Hash | GET /api/v1/file/sha256/{hash} |
| Domain | GET /api/v1/file/domain/{domain} |
| URL | GET /api/v1/file/url?value={url} |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊