Data Source
Check Point Email Security (marketed as Check Point Harmony Email and Collaboration, formerly Avanan). The connector ingests from Check Point Infinity Portal via REST API, populating four custom Log Analytics tables:
| Stream | Table | Coverage |
|---|---|---|
| Security Events | CheckPointEmailSecurityEvents_CL | Zero-day, phishing, malware, account takeover, DLP, shadow IT |
| Anti-Phishing Exceptions | CheckPointEmailSecAntiPhishingExceptions_CL | Allow-listed senders/attachments bypassing phishing controls |
| Spam Exceptions | CheckPointEmailSecuritySpamExceptions_CL | Allow-listed senders/IPs bypassing spam filters |
| Audit Logs | CheckPointEmailSecurityAuditLogs_CL | Admin/configuration change activity |
Ingestion Mechanism
CCF (Codeless Connector Framework) REST API poller. The connector requires two separate Check Point Infinity Portal API key pairs:
- Harmony Email and Collaboration API key (Client ID + Client Secret) for security events and exceptions streams
- Logs as a Service API key (Audit Client ID + Audit Client Secret) for audit logs stream
The DCR (CheckPointEmailSecurityDCR) defines four Custom- stream declarations with distinct column schemas per data type. Multi-tenant deployments are supported; each tenant connection is provisioned independently via the connector UI context pane.
Detection Surface Unlocked
This connector surfaces attacker activity across the email kill-chain:
- Pre-delivery threats: Phishing, zero-day, and malware in inbound email (CheckPointEmailSecurityEvents_CL with type and severity fields)
- Exception abuse: Anti-phishing and spam exception lists are frequent attacker persistence targets; CheckPointEmailSecAntiPhishingExceptions_CL and CheckPointEmailSecuritySpamExceptions_CL enable hunting for malicious allow-list additions (T1566.001)
- Account takeover: Security events include account takeover detections surfaced by Harmony Email behavioral analytics
- Admin plane changes: CheckPointEmailSecurityAuditLogs_CL captures configuration changes to email security policy, relevant for detecting attacker-driven policy weakening
No bundled Analytic Rules or Hunting Queries are included in this initial release. Detection engineering against these tables will require custom rule authoring.
Operational Notes
- The connector is marked preview in the connector definition (isPreview: true).
- Security events schema includes: eventId, customerId, saas, entityId, state, type, confidenceIndicator, eventCreated, severity, data, description, senderAddress, entityLink, actions (dynamic), additionalData, availableEventActions (dynamic).
- Exception tables include sender email, sender name, recipient, attachment MD5, and sender client IP fields useful for pivoting on known-bad indicators.
- No parser YAML is included; field normalisation will need to be implemented by the SOC.
Affected Files
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/CheckPointEmailSecurity_ConnectorDefinition.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/CheckPointEmailSecurity_DCR.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/CheckPointEmailSecurity_PollerConfig.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/table_CheckPointEmailSecAntiPhishingExceptions.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/table_CheckPointEmailSecurityAuditLogs.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/table_CheckPointEmailSecurityEvents.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/table_CheckPointEmailSecuritySpamExceptions.json
Solutions/Checkpoint Email Security/Package/testParameters.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CheckPointEmailSecurity.json, createUiDefinition.json, mainTemplate.json)