Skip to main content

Check Point Network Detection and Response (Infinity NDR)

This Integration is part of the Check Point Infinity NDR Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

Collect network security events from Check Point Infinity NDR for your secured SaaS periodically This integration was integrated and tested with version 1.0.0 of CheckPointNDR

Configure Check Point Network Detection and Response (Infinity NDR) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Check Point Infinity NDR.

  3. Click Add instance to create and configure a new integration instance.

    Infinity NDR API URL (e.g.
    Client IDTrue
    Access KeyTrue
    First fetch timeFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Incidents Fetch IntervalFalse
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Retrieve all NDR Insights

Base Command#



Argument NameDescriptionRequired
fromDate and time from which to fetch insights. Default is Last 24 hours.Optional
create_eventsIf true, the command will create events, otherwise it will only display them. Possible values are: true, false. Default is false.Optional

Context Output#

CheckPointHEC.Entity.internetMessageIdStringEmail message id in internet.
CheckPointHEC.Entity.subjectStringEmail subject.
CheckPointHEC.Entity.receivedStringDatetime email was received in iso 8601 format.
CheckPointHEC.Entity.sizeStringEmail size.
CheckPointHEC.Entity.emailLinksunknownLinks in email.
CheckPointHEC.Entity.attachmentCountNumberNumber of attachments in email.
CheckPointHEC.Entity.attachmentsunknownFile attachments in email.
CheckPointHEC.Entity.modeStringInternal policy rule.
CheckPointHEC.Entity.recipientsunknownRecipient email addresses.
CheckPointHEC.Entity.subjectStringEmail subject.
CheckPointHEC.Entity.fromEmailStringEmail sender.
CheckPointHEC.Entity.fromDomainStringDomain where the email was sent from.
CheckPointHEC.Entity.fromUserunknownSender user details.
CheckPointHEC.Entity.fromNameStringSender name.
CheckPointHEC.Entity.tounknownEmail main recipients.
CheckPointHEC.Entity.toUserunknownUser details for main recipients.
CheckPointHEC.Entity.ccunknownEmail carbon copy recipients.
CheckPointHEC.Entity.ccUserunknownUser details for carbon copy recipients.
CheckPointHEC.Entity.bccunknownEmail blind carbon copy recipients.
CheckPointHEC.Entity.bccUserunknownUser details for blind carbon copy recipients.
CheckPointHEC.Entity.replyToEmailStringEmail reply.
CheckPointHEC.Entity.replyToNicknameStringEmail reply nickname.
CheckPointHEC.Entity.isReadBooleanEmail has been read.
CheckPointHEC.Entity.isDeletedBooleanEmail has been deleted.
CheckPointHEC.Entity.isIncomingBooleanEmail is from external organization.
CheckPointHEC.Entity.isInternalBooleanEmail is from same organization.
CheckPointHEC.Entity.isOutgoingBooleanEmail is to an external organization.
CheckPointHEC.Entity.isQuarantinedBooleanEmail has been quarantined.
CheckPointHEC.Entity.isQuarantineNotificationBooleanEmail is a notification of another quarantined email.
CheckPointHEC.Entity.isRestoredBooleanEmail is restored from quarantine.
CheckPointHEC.Entity.isRestoreRequestedBooleanEmail is a request to restore.
CheckPointHEC.Entity.isRestoreDeclinedBooleanEmail is a declined restore request.
CheckPointHEC.Entity.saasSpamVerdictStringSpam verdict.
CheckPointHEC.Entity.SpfResultStringSender Policy Framework check result.
CheckPointHEC.Entity.restoreRequestTimeStringRestore request datetime in iso 8601 format.