Check Point Exposure Management - Phishing Takedown
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
When a new Microsoft Sentinel incident is created for a phishing website alert, this playbook extracts the phishing URL, evaluates confidence and severity thresholds, submits a takedown request to Check Point Exposure Management, and tracks the takedown status back to the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Check Point Cyberint Alerts |
| Source | View on GitHub |
Additional Documentation
📄 Source: Response/CPEM_PhishingTakedown/readme.md
Summary
When a new Microsoft Sentinel incident is created for a phishing website alert, this playbook extracts the phishing URL from the alert, evaluates confidence and severity thresholds, and either auto-submits a takedown request or flags the incident for manual review.
Flow:
1. Calls Check_Point_EM_Base to retrieve API credentials.
2. Extracts the alert reference ID from the incident.
3. Fetches full alert details via GET /api/v1/alerts/{ref_id} and enriches the incident comment with phishing site metadata (URL, A record, registrar, detection reasons, SSL, password field).
4. If alert confidence meets the configured threshold, submits a takedown request via POST /api/v1/submit and tags the incident takedown-requested.
5. If below threshold, adds a comment recommending manual review.
Prerequisites
- Check_Point_EM_Base playbook must be deployed in the same resource group.
- A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
- Sentinel analytic rules that create incidents from Argos phishing website alerts with
ref_idin custom details.
Deployment
Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Check_Point_EM_PhishingTakedown) |
| Check_Point_EM_Base_PlaybookName | No | Name of the base playbook (default: Check_Point_EM_Base) |
| MinConfidenceForAutoTakedown | No | Minimum confidence score (0-100) for auto-takedown (default: 80) |
| MinSeverityForAutoTakedown | No | Minimum Argos severity for auto-takedown (default: high) |
Post-Deployment
- Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
- Configure an automation rule in Microsoft Sentinel to trigger this playbook on phishing website incidents.
- Monitor the
takedown-requestedtag on incidents to track takedown progress.
API Endpoints Used
| Action | Endpoint |
|---|---|
| Get alert details | GET /api/v1/alerts/{alert_ref_id} |
| Submit takedown | POST /api/v1/submit |
| Check takedown status | POST /api/v1/submit (filter by alert_id) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊