Data Source

Check Point Email Security (marketed as Check Point Harmony Email and Collaboration, formerly Avanan). The connector ingests from Check Point Infinity Portal via REST API, populating four custom Log Analytics tables:

StreamTableCoverage
Security EventsCheckPointEmailSecurityEvents_CLZero-day, phishing, malware, account takeover, DLP, shadow IT
Anti-Phishing ExceptionsCheckPointEmailSecAntiPhishingExceptions_CLAllow-listed senders/attachments bypassing phishing controls
Spam ExceptionsCheckPointEmailSecuritySpamExceptions_CLAllow-listed senders/IPs bypassing spam filters
Audit LogsCheckPointEmailSecurityAuditLogs_CLAdmin/configuration change activity

Ingestion Mechanism

CCF (Codeless Connector Framework) REST API poller. The connector requires two separate Check Point Infinity Portal API key pairs:

  • Harmony Email and Collaboration API key (Client ID + Client Secret) for security events and exceptions streams
  • Logs as a Service API key (Audit Client ID + Audit Client Secret) for audit logs stream

The DCR (CheckPointEmailSecurityDCR) defines four Custom- stream declarations with distinct column schemas per data type. Multi-tenant deployments are supported; each tenant connection is provisioned independently via the connector UI context pane.

Detection Surface Unlocked

This connector surfaces attacker activity across the email kill-chain:

  • Pre-delivery threats: Phishing, zero-day, and malware in inbound email (CheckPointEmailSecurityEvents_CL with type and severity fields)
  • Exception abuse: Anti-phishing and spam exception lists are frequent attacker persistence targets; CheckPointEmailSecAntiPhishingExceptions_CL and CheckPointEmailSecuritySpamExceptions_CL enable hunting for malicious allow-list additions (T1566.001)
  • Account takeover: Security events include account takeover detections surfaced by Harmony Email behavioral analytics
  • Admin plane changes: CheckPointEmailSecurityAuditLogs_CL captures configuration changes to email security policy, relevant for detecting attacker-driven policy weakening

No bundled Analytic Rules or Hunting Queries are included in this initial release. Detection engineering against these tables will require custom rule authoring.

Operational Notes

  • The connector is marked preview in the connector definition (isPreview: true).
  • Security events schema includes: eventId, customerId, saas, entityId, state, type, confidenceIndicator, eventCreated, severity, data, description, senderAddress, entityLink, actions (dynamic), additionalData, availableEventActions (dynamic).
  • Exception tables include sender email, sender name, recipient, attachment MD5, and sender client IP fields useful for pivoting on known-bad indicators.
  • No parser YAML is included; field normalisation will need to be implemented by the SOC.

Affected Files

Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/CheckPointEmailSecurity_ConnectorDefinition.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/CheckPointEmailSecurity_DCR.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/CheckPointEmailSecurity_PollerConfig.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/table_CheckPointEmailSecAntiPhishingExceptions.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/table_CheckPointEmailSecurityAuditLogs.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/table_CheckPointEmailSecurityEvents.json
Solutions/Checkpoint Email Security/Data Connectors/CheckPointEmailSecurity_CCF/table_CheckPointEmailSecuritySpamExceptions.json
Solutions/Checkpoint Email Security/Package/testParameters.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CheckPointEmailSecurity.json, createUiDefinition.json, mainTemplate.json)