Skip to main content

Check Point Harmony Email and Collaboration (HEC)

This Integration is part of the Check Point Harmony Email and Collaboration (HEC) Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

The Best Way to Protect Enterprise Email & Collaboration from phishing, malware, account takeover, data loss, etc. This integration was integrated and tested with version 1.0.3 of CheckPointHEC

Configure Check Point Harmony Email and Collaboration (HEC) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Check Point Harmony Email and Collaboration (HEC).

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Smart API URL (e.g. https://smart-api-dev-1-us.avanan-dev.net)True
    Fetch incidentsFalse
    Incident typeFalse
    Maximum number of incidents per fetchFalse
    Client IDTrue
    Client SecretTrue
    First fetch timeFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Incidents Fetch IntervalFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

checkpointhec-get-entity#


Retrieve specific entity

Base Command#

checkpointhec-get-entity

Input#

Argument NameDescriptionRequired
entityEntity id to retrieve.Required

Context Output#

PathTypeDescription
CheckPointHEC.Entity.internetMessageIdStringEmail message id in internet.
CheckPointHEC.Entity.subjectStringEmail subject.
CheckPointHEC.Entity.receivedStringDatetime email was received in iso 8601 format.
CheckPointHEC.Entity.sizeStringEmail size.
CheckPointHEC.Entity.emailLinksunknownLinks in email.
CheckPointHEC.Entity.attachmentCountNumberNumber of attachments in email.
CheckPointHEC.Entity.attachmentsunknownFile attachments in email.
CheckPointHEC.Entity.modeStringInternal policy rule.
CheckPointHEC.Entity.recipientsunknownRecipient email addresses.
CheckPointHEC.Entity.subjectStringEmail subject.
CheckPointHEC.Entity.fromEmailStringEmail sender.
CheckPointHEC.Entity.fromDomainStringDomain where the email was sent from.
CheckPointHEC.Entity.fromUserunknownSender user details.
CheckPointHEC.Entity.fromNameStringSender name.
CheckPointHEC.Entity.tounknownEmail main recipients.
CheckPointHEC.Entity.toUserunknownUser details for main recipients.
CheckPointHEC.Entity.ccunknownEmail carbon copy recipients.
CheckPointHEC.Entity.ccUserunknownUser details for carbon copy recipients.
CheckPointHEC.Entity.bccunknownEmail blind carbon copy recipients.
CheckPointHEC.Entity.bccUserunknownUser details for blind carbon copy recipients.
CheckPointHEC.Entity.replyToEmailStringEmail reply.
CheckPointHEC.Entity.replyToNicknameStringEmail reply nickname.
CheckPointHEC.Entity.isReadBooleanEmail has been read.
CheckPointHEC.Entity.isDeletedBooleanEmail has been deleted.
CheckPointHEC.Entity.isIncomingBooleanEmail is from external organization.
CheckPointHEC.Entity.isInternalBooleanEmail is from same organization.
CheckPointHEC.Entity.isOutgoingBooleanEmail is to an external organization.
CheckPointHEC.Entity.isQuarantinedBooleanEmail has been quarantined.
CheckPointHEC.Entity.isQuarantineNotificationBooleanEmail is a notification of another quarantined email.
CheckPointHEC.Entity.isRestoredBooleanEmail is restored from quarantine.
CheckPointHEC.Entity.isRestoreRequestedBooleanEmail is a request to restore.
CheckPointHEC.Entity.isRestoreDeclinedBooleanEmail is a declined restore request.
CheckPointHEC.Entity.saasSpamVerdictStringSpam verdict.
CheckPointHEC.Entity.SpfResultStringSender Policy Framework check result.
CheckPointHEC.Entity.restoreRequestTimeStringRestore request datetime in iso 8601 format.

checkpointhec-get-email-info#


Retrieve specific email entity

Base Command#

checkpointhec-get-email-info

Input#

Argument NameDescriptionRequired
entityEmail entity id.Required

Context Output#

PathTypeDescription
CheckPointHEC.Email.fromEmailStringEmail sender.
CheckPointHEC.Email.tounknownEmail main recipients.
CheckPointHEC.Email.replyToEmailStringEmail reply.
CheckPointHEC.Email.replyToNicknameStringEmail reply nickname.
CheckPointHEC.Email.recipientsunknownRecipient email addresses.
CheckPointHEC.Email.subjectStringEmail subject.
CheckPointHEC.Email.ccunknownEmail carbon copy recipients.
CheckPointHEC.Email.bccunknownEmail blind carbon copy recipients.
CheckPointHEC.Email.isReadBooleanEmail has been read.
CheckPointHEC.Email.receivedStringDatetime email was received in iso 8601 format.
CheckPointHEC.Email.isDeletedBooleanEmail has been deleted.
CheckPointHEC.Email.isIncomingBooleanEmail is from external organization.
CheckPointHEC.Email.isOutgoingBooleanEmail is to an external organization.
CheckPointHEC.Email.internetMessageIdStringEmail message id in internet.
CheckPointHEC.Email.isUserExposedBooleanEmail reached user inbox

checkpointhec-get-scan-info#


Retrieve specific email scan with positive threats

Base Command#

checkpointhec-get-scan-info

Input#

Argument NameDescriptionRequired
entityScanned entity id.Required

Context Output#

PathTypeDescription
CheckPointHEC.ScanResult.apunknownAnti-phishing scan results
CheckPointHEC.ScanResult.dlpunknownData Loss Prevention scan results
CheckPointHEC.ScanResult.clicktimeProtectionunknownClick Time Protection scan results
CheckPointHEC.ScanResult.shadowItunknownShadow IT scan results
CheckPointHEC.ScanResult.avunknownAntivirus scan results

checkpointhec-search-emails#


Get email ids with same sender and/or subject

Base Command#

checkpointhec-search-emails

Input#

Argument NameDescriptionRequired
date_rangeRange to search for emails (1 day, 2 weeks, etc.).Required
senderSearch emails with this sender.Optional
subjectSearch emails with this subject.Optional

Context Output#

PathTypeDescription
CheckPointHEC.SearchResult.idsunknownList of email ids returned by the search

checkpointhec-send-action#


Quarantine or restore an email

Base Command#

checkpointhec-send-action

Input#

Argument NameDescriptionRequired
farmCustomer farm.Required
customerCustomer portal name.Required
entityOne or multiple Email ids to apply action over.Required
actionAction to perform (quarantine or restore). Possible values are: quarantine, restore.Required

Context Output#

PathTypeDescription
CheckPointHEC.Task.taskStringTask id of the sent action

checkpointhec-get-action-result#


Get task info related to a sent action

Base Command#

checkpointhec-get-action-result

Input#

Argument NameDescriptionRequired
farmCustomer farm.Required
customerCustomer portal name.Required
taskTask id to retrieve.Required

Context Output#

PathTypeDescription
CheckPointHEC.ActionResult.actionsunknownAction information for each sent entity
CheckPointHEC.ActionResult.createdStringDate when action was created in iso 8601 format
CheckPointHEC.ActionResult.customerStringCustomer portal name
CheckPointHEC.ActionResult.failedNumberNumber of failed actions
CheckPointHEC.ActionResult.idNumberAction task id
CheckPointHEC.ActionResult.nameStringAction name
CheckPointHEC.ActionResult.ownerStringAction owner
CheckPointHEC.ActionResult.progressNumberNumber of actions in progress
CheckPointHEC.ActionResult.sequentialBooleanActions are in sequence
CheckPointHEC.ActionResult.statusStringAction status
CheckPointHEC.ActionResult.succeedNumberNumber of succeed actions
CheckPointHEC.ActionResult.totalNumberTotal of actions
CheckPointHEC.ActionResult.typeStringAction internal name
CheckPointHEC.ActionResult.updatedStringDate when action last updated in iso 8601 format

checkpointhec-send-notification#


Send notification about user exposition for the specific entity to the list of emails

Base Command#

checkpointhec-send-notification

Input#

Argument NameDescriptionRequired
entityEmail entity id.Required
emailsList of emails to send notification.Required

Context Output#

PathTypeDescription
CheckPointHEC.Notification.okBooleanResult of the operation.