Check Point Exposure Management - Vulnerability Exploitation Monitoring
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a new Microsoft Sentinel incident is created containing CVE identifiers, this playbook enriches each CVE using the Check Point CVE Intelligence API (EPSS, CPEM score, exploitation evidence, PoC availability) and adds results as an incident comment.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Check Point Cyberint Alerts |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident | post | /Incidents/Comment |
— |
| Update_incident_severity_to_High | put | /Incidents |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_CVE_Enrichment | GET | @{parameters('API_Base_URL')}/cve-intel/get_enriched_cve/@{encodeURIComponent(items('For_each_CVE'))} |
— |
Additional Documentation
Summary
When a new Microsoft Sentinel incident is created containing CVE identifiers, this playbook enriches each CVE using the Check Point CVE Intelligence API and adds enrichment results (EPSS, CPEM score, CVSS, CWE, PoC availability, exploitation evidence) as an incident comment. If any CVE exceeds the configured score threshold, the incident severity is escalated.
Flow:
- Calls Check_Point_EM_Base to retrieve API credentials.
- Extracts CVE identifiers (e.g.,
CVE-2024-1234) from the incident description. - For each CVE, queries
GET /cve-intel/get_enriched_cve/{cve_id}. - Adds a comment with enrichment details per CVE.
- If the maximum CPEM CVE score exceeds the threshold, escalates incident severity to High and tags the incident.
Prerequisites
- Check_Point_EM_Base playbook must be deployed in the same resource group.
- A valid Check Point Exposure Management API token configured in the Check_Point_EM_Base Key Vault.
- Sentinel analytic rules that include CVE IDs in the incident description or custom details.
Deployment
Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Check_Point_EM_VulnerabilityMonitoring) |
| Check_Point_EM_Base_PlaybookName | No | Name of the base playbook (default: Check_Point_EM_Base) |
| SeverityEscalationThreshold | No | CPEM CVE score threshold for escalation (default: 7.0) |
Post-Deployment
- Grant the Logic App Managed Identity the Microsoft Sentinel Responder role on the resource group.
- Configure an automation rule in Microsoft Sentinel to trigger this playbook on vulnerability-related incidents.
API Endpoints Used
| Action | Endpoint |
|---|---|
| CVE Enrichment | GET /cve-intel/get_enriched_cve/{cve_id} |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊