What Changed
Major solution update (v3.0.0 → v3.1.0) introducing bi-directional alert sync between Check Point Cyberint (Infinity External Risk Management) and Microsoft Sentinel, plus critical data ingestion fixes.
Security Impact (Visibility & Fidelity)
Critical Fix: The ref_id column was defined as datetime in DCR/table definitions, causing alert reference IDs to be silently dropped during ingestion. Deployments running v3.0.0 have had incomplete alert data since installation — this is a data fidelity gap affecting alert correlation and deduplication.
New Detection Surface: Enhanced alert processing with automated enrichment (IOC analysis, credential leak validation, vulnerability intelligence) and response workflows (phishing takedown, attachment retrieval).
Bi-Directional Sync Capabilities
Inbound Sync (Argos → Sentinel)
- CPEM_InboundSync: Polls Argos for modified alerts using modification_date filter (complements CCF connector which only captures new alerts)
- Writes updated records to argsentdc_CL custom table via Data Collection API
- Handles status changes, closures, and alert updates missed by the primary connector
Outbound Sync (Sentinel → Argos)
- CPEM_OutboundSync: Pushes Sentinel incident status changes to corresponding Argos alerts
- Maps incident classifications to alert closure reasons (True Positive → resolved, False Positive → false_positive)
- Includes tag-based loop prevention (argos-importer-synced) to avoid circular sync
Manual Operations
- CPEM_ManualStatusUpdate: On-demand status sync from Sentinel incident Actions menu
- CPEM_AutomationRules: Deploys automation rules to trigger sync on incident updates
Enrichment & Response Playbooks
- CPEM_IOCEnrichment: Automatic IOC enrichment (IPs, domains, hashes, URLs) with threat intelligence verdicts
- CPEM_FetchAttachments: On-demand retrieval of alert attachments and analysis reports
- CPEM_CredentialLeakResponse: Credential leak validation with severity escalation for high-volume breaches
- CPEM_PhishingTakedown: Automated phishing site takedown with confidence thresholds
- CPEM_VulnerabilityMonitoring: CVE enrichment with EPSS/CVSS scoring and exploitation evidence
Parser Improvements
- CPEMAlerts: Added alert type metadata lookup and deduplication by ref_id
- CPEMAlertIngestionAnomaly: New analytic rule for detecting ingestion issues
MITRE Mapping
Enhanced coverage for T1562 (Impair Defenses) through improved alert correlation and response workflows.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/argsentdc_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/checkpoint-cyberint.svg
Logos/checkpoint.svg
Solutions/Check Point Cyberint Alerts/Analytic Rules/CPEMAlertIngestionAnomaly.yaml
Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_DCR.json
Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_PollingConfig.json
Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_Table.json
Solutions/Check Point Cyberint Alerts/Data Connectors/CyberintArgosAlertsLogs_ccp/CyberintArgosAlertsLogs_connectorDefinition.json
Solutions/Check Point Cyberint Alerts/Package/testParameters.json
Solutions/Check Point Cyberint Alerts/Parsers/CPEMAlerts.yaml
Solutions/Check Point Cyberint Alerts/Playbooks/Enrichment/CPEM_FetchAttachments/azuredeploy.json
Solutions/Check Point Cyberint Alerts/Playbooks/Enrichment/CPEM_FetchAttachments/readme.md
Solutions/Check Point Cyberint Alerts/Playbooks/Enrichment/CPEM_IOCEnrichment/azuredeploy.json
Solutions/Check Point Cyberint Alerts/Playbooks/Enrichment/CPEM_IOCEnrichment/readme.md
Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_CredentialLeakResponse/azuredeploy.json
Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_CredentialLeakResponse/readme.md
Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_PhishingTakedown/azuredeploy.json
Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_PhishingTakedown/readme.md
Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_VulnerabilityMonitoring/azuredeploy.json
Solutions/Check Point Cyberint Alerts/Playbooks/Response/CPEM_VulnerabilityMonitoring/readme.md
Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_AutomationRules/azuredeploy.json
Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_AutomationRules/readme.md
Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_InboundSync/azuredeploy.json
Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_InboundSync/readme.md
Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_ManualStatusUpdate/azuredeploy.json
Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_ManualStatusUpdate/readme.md
Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_OutboundSync/azuredeploy.json
Solutions/Check Point Cyberint Alerts/Playbooks/Sync/CPEM_OutboundSync/readme.md
Solutions/Check Point Cyberint Alerts/README.md
Solutions/Check Point Cyberint Alerts/Workbooks/CPEMAlertOverview.json
Solutions/Check Point Cyberint Alerts/Workbooks/Images/Preview/CPEMAlertOverviewBlack.png
Solutions/Check Point Cyberint Alerts/Workbooks/Images/Preview/CPEMAlertOverviewWhite.png
Solutions/Check Point Cyberint Alerts/docs/sentinel-playbook-template-rendering-fixes.md
Solutions/Check Point Cyberint IOC/Data Connectors/CyberintArgosIOCLogs_ccp/CyberintArgosIOCLogs_PollingConfig.json
Solutions/Check Point Cyberint IOC/Data Connectors/CyberintArgosIOCLogs_ccp/CyberintArgosIOCLogs_Table.json
Solutions/Check Point Cyberint IOC/Data Connectors/CyberintArgosIOCLogs_ccp/CyberintArgosIOCLogs_connectorDefinition.json
Workbooks/Images/Logos/checkpoint.svg
Workbooks/Images/Preview/CPEMAlertOverviewBlack.png
Workbooks/Images/Preview/CPEMAlertOverviewWhite.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.2.zip, 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Cyberint.json, createUiDefinition.json, mainTemplate.json)