Check Point External Risk Management for Microsoft Sentinel - Alerts

Solution: Check Point Cyberint Alerts

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index

---

Attribute	Value
Publisher	Check Point
Support Tier	Partner
Support Link	https://cyberint.com/customer-support/
Categories	domains
Version	3.1.0
Author	Check Point - support@checkpoint.com
First Published	2025-03-18
Last Updated	2026-04-17
Solution Folder	Check Point Cyberint Alerts
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (8%)

Check Point provides Microsoft Sentinel integration to streamline critical Alerts and bring enriched threat intelligence from the Infinity External Risk Management solution into Microsoft Sentinel. This simplifies the process of tracking the status of tickets with automatic sync updates across systems. Using this new integration for Microsoft Sentinel, existing Check Point Exposure Management and Microsoft Sentinel customers can easily pull logs based on Check Point Exposure Management findings into Microsoft Sentinel platform.

NOTE: Microsoft recommends installation of Check Point Exposure Management Alerts Connector (via Codeless Connector Platform). This connector is build on the Codeless Connector Platform (CCP), which uses the Log Ingestion API, which replaces ingestion via the deprecated HTTP Data Collector API. CCP-based data connectors also support Data Collection Rules (DCRs) offering transformations and enrichment.

Contents

• Data Connectors
• Tables Used
• Content Items
• Additional Documentation

Data Connectors

This solution provides 1 data connector(s):

• Check Point Cyberint Alerts Connector (via Codeless Connector Platform)

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
argsentdc_CL	Check Point Cyberint Alerts Connector (via Codeless Connector Platform)	Analytics, Playbooks, Workbooks

Content Items

This solution includes 11 content item(s):

Content Type	Count
Playbooks	8
Analytic Rules	1
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Check Point Exposure Management - Alert Ingestion Anomaly	Medium	DefenseEvasion	argsentdc_CL

Workbooks

Name	Tables Used
CPEMAlertOverview	argsentdc_CL

Playbooks

Name	Description	Tables Used
Check Point EM - Importer (Alerts → Sentinel Incidents)	Queries the argsentdc_CL custom table (populated by the CCP data connector) for recent alerts and cr...	argsentdc_CL (read)
Check Point Exposure Management - Credential Leak Validation and Response	When a new Microsoft Sentinel incident is created for leaked credentials, this playbook queries the ...	-
Check Point Exposure Management - Exporter (Sentinel → Argos)	When a Sentinel incident status changes, this playbook pushes the update to the corresponding alert(...	-
Check Point Exposure Management - Fetch Attachments On-Demand	On-demand playbook that fetches alert attachments and analysis report for a Sentinel incident, surfa...	-
Check Point Exposure Management - IOC Enrichment and Triage	When a new Microsoft Sentinel incident is created, this playbook enriches IOC entities (IPs, domains...	-
Check Point Exposure Management - Manual Status Update (Sentinel → Argos)	On-demand playbook that reads the current Sentinel incident status and pushes it to the correspondin...	-
Check Point Exposure Management - Phishing Takedown	When a new Microsoft Sentinel incident is created for a phishing website alert, this playbook extrac...	-
Check Point Exposure Management - Vulnerability Exploitation Monitoring	When a new Microsoft Sentinel incident is created containing CVE identifiers, this playbook enriches...	-

Parsers

Name	Description	Tables Used
CPEMAlerts	-	TacitRed_Findings_CL (read) Internal use: BehaviorAnalytics (read)

Additional Documentation

📄 Source: Check Point Cyberint Alerts/README.md

Overview

This solution integrates Check Point Exposure Management with Microsoft Sentinel, providing bi-directional synchronization of alerts and incidents. It enables SOC teams to manage Argos external risk alerts directly from Sentinel while keeping both platforms in sync.

What's Included

Component	Description
Data Connector (CCP)	Ingests new alerts every 5 minutes via the Codeless Connector Platform
10 Playbooks	Bi-directional sync, enrichment, and response automation
1 Analytic Rule	Detects ingestion gaps (connector or sync failures)
1 Workbook	Alert overview, status distribution, and sync health monitoring
1 Automation Rule	Triggers outbound sync on incident updates

Architecture

                    ┌──────────────────────┐
                    │   Check Point Exposure Management      │
                    │   (External Risk Mgmt)│
                    └──────┬───────▲───────┘
                           │       │
              ┌────────────┘       └────────────┐
              │ (new alerts)        (status PUT) │
              ▼                                  │
    ┌─────────────────┐              ┌───────────┴───────┐
    │ CCP Data        │              │ Exporter     │
    │ Connector       │              │ Playbook          │
    │ (created_date)  │              │ (Sentinel → Argos)│
    └────────┬────────┘              └───────────▲───────┘
             │                                   │
             ▼                                   │
    ┌─────────────────┐              ┌───────────┴───────┐
    │ argsentdc_CL    │◄─────────────│ Importer      │
    │ (Custom Table)  │              │ Playbook           │
    └────────┬────────┘              │ (modification_date)│
             │                       └───────────────────┘
             ▼
    ┌─────────────────┐
    │ Microsoft        │
    │ Sentinel         │
    │ (Incidents)      │
    └──────────────────┘

Two ingestion paths: - CCP Connector — polls for new alerts using created_date filter (every 5 min) - Importer — polls for modified alerts using modification_date filter (every 10 min)

Loop prevention: Importer tags incidents with argos-importer-synced. Exporter checks for this tag and skips if present, preventing circular updates.

Prerequisites

1. Microsoft Sentinel enabled on a Log Analytics workspace.
2. A Check Point Exposure Management API token and your environment's Check Point Exposure Management API base URL (e.g., https://app.cyberint.io).
3. Contributor role on the target resource group (for deploying Logic Apps, Key Vault, and role assignments).

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.1.0	10-03-2026	Update Data Connector, add bi-directional sync playbooks, analytic rule (ingestion anomaly), workbook (alert overview & sync health), and automation rules.
3.0.0	17-06-2025	Initial Solution release.

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index