Checkpoint XDR

checkpoint xdr is a security platform that provides extended detection and response capabilities across various environments checkpoint xdr is a comprehensive extended detection and response platform that provides advanced threat prevention and incident response capabilities the checkpoint xdr connector for swimlane turbine allows users to seamlessly integrate checkpoint's incident management capabilities into their security automation workflows by leveraging this integration, swimlane turbine users can efficiently retrieve and manage incidents, apply advanced filtering, and normalize data into the turbine schema for enhanced analysis and response this integration empowers security teams to streamline their incident response processes, reduce manual effort, and improve overall security posture prerequisites before you can use the checkpoint xdr connector for turbine, you'll need access to the checkpoint xdr api this requires the following custom authentication using check point xdr external client credentials url the endpoint for accessing checkpoint xdr services client id unique identifier for your application access key key used to authenticate api requests client key secret key associated with your client id capabilities this connector provides the following capabilities capabilities go here e g manage firewall policies instead of listing each individual tasks limitations include information about known limitations here, including supported or minimum versions, especially known unsupported versions asset setup the content here should discuss asset setup in a conversational manner be sure to include any known login and test connection errors tasks setup special task setup as needed depending on plugin, exclude if empty known available allowed input options from enum type selection notes any other notes not fitting other sections go here any reference urls to external docs or other resources configurations check point xdr external client authentication authenticates using check point xdr external client credentials (clientid and accesskey) configuration parameters parameter description type required url base url for the check point xdr gateway string required client id external client id (uuid) string required access key external client access key (uuid) string required ck external client key identifier string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions list incidents retrieve paginated checkpoint xdr incidents with optional filtering by time, limit, and offset optionally return results as normalized turbine schema alerts endpoint url /app/xdr/api/xdr/v1/incidents method get input argument name type required description parameters filterby string required the time field to filter incidents by parameters from string optional start date of the time frame (iso 8601) example 2024 10 30t12 00 00z defaults to 7 days ago parameters to string optional end date of the time frame (iso 8601) example 2024 10 30t12 00 00z defaults to today parameters limit integer optional maximum number of incidents to return default is 1000 parameters offset integer optional number of incidents to skip for pagination default is 0 parameters return as turbine schema boolean optional if true, returns results as normalized turbine schema alerts instead of raw api response parameters alert organization string optional optional organization name to include in the turbine schema alert used only when return as turbine schema is true parameters ioc types array optional list of observable types to extract supported ipv4 public, ipv4 private, ipv6 public, ipv6 private, domain, url, email, sha1, sha256, md5 if omitted or empty, all types are extracted parameters domains ignore list string optional comma separated domain values to exclude from observable extraction parameters ip cidr ignore list string optional comma separated cidr ranges to exclude from observable extraction parameters regex ignore string optional regex pattern — any observable value matching this pattern is excluded parameters ioc ignore paths array optional array of slash separated field paths to strip from each alert before extracting observables supports wildcards ( ) and nested paths example \["processcommandline", "context/ /ipaddress"] input example {"parameters" {"filterby" "updatedat","from" "string","to" "string","limit" 1000,"offset" 123,"return as turbine schema"\ true,"alert organization" "string","ioc types" \["string"],"domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]}} output parameter type description status code integer http status code of the response incidents array raw list of incidents (when return as turbine schema is false) incidents id string unique identifier incidents display id integer unique identifier incidents summary string unique identifier incidents status string unique identifier incidents severity string unique identifier incidents confidence string unique identifier incidents priority string unique identifier incidents is prevented boolean unique identifier incidents followup boolean unique identifier incidents assignee string unique identifier incidents assigneename string unique identifier incidents assigneeemail string unique identifier incidents tenantid string unique identifier incidents created at string unique identifier incidents updated at string unique identifier incidents firstseen string unique identifier incidents lastseen string unique identifier incidents mitre tactics array unique identifier incidents mitre techniques array unique identifier incidents sensors array unique identifier incidents indicators array unique identifier incidents indicators type string unique identifier incidents indicators value string unique identifier output example {"incidents" \[{"id" "12345678 1234 1234 1234 123456789abc","display id" 123,"summary" "string","status" "active","severity" "string","confidence" "string","priority" "string","is prevented"\ true,"followup"\ true,"assignee" "string","assigneename" "example name","assigneeemail" "string","tenantid" "string","created at" "string","updated at" "string"}],"alerts" \[{"alert uid" "string","alert title" "string","alert description" "string","alert severity" "string","alert priority" "string","alert creat response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt