Skip to content

Adding Checkpoint HEC response integration #707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chkp-arvidb wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Adding Checkpoint HEC response integration #707

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
414b566
Adding Checkpoint HEC response integration
chkp-arvidb Apr 21, 2026
35cf294
Address checks
chkp-arvidb Apr 21, 2026
8a2402b
Merge branch 'main' into checkpoint-hec-soar
chkp-arvidb Apr 21, 2026
b456011
Merge branch 'main' into checkpoint-hec-soar
chkp-arvidb Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added content/response_integrations/third_party/community/check_point_hec/__init__.py
View file
Open in desktop
Empty file.
Empty file added content/response_integrations/third_party/community/check_point_hec/actions/__init__.py
View file
Open in desktop
Empty file.
47 changes: 47 additions & 0 deletions ...response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
from __future__ import annotations
import yaml

from TIPCommon.validation import ParameterValidator

from ..core.base_action import BaseAction
from ..core.constants import CREATE_ANOMALY_EXC_SCRIPT_NAME

SUCCESS_MESSAGE: str = "Successfully created Anomaly exception!"
ERROR_MESSAGE: str = "Failed creating Anomaly exception!"


class CreateAnomalyException(BaseAction):
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Classes and methods should have Google-style docstrings to improve maintainability and readability.

References
  1. Follow the Google Style Docstrings for all modules, classes, and functions. (link)


def __init__(self) -> None:
super().__init__(CREATE_ANOMALY_EXC_SCRIPT_NAME)
self.output_message: str = SUCCESS_MESSAGE
self.error_output_message: str = ERROR_MESSAGE

def _extract_action_parameters(self) -> None:
self.params.request_json = self.soar_action.extract_action_param(
param_name="Request JSON",
print_value=True,
is_mandatory=True
)
self.params.added_by = self.soar_action.extract_action_param(
param_name="Added By",
print_value=True,
is_mandatory=False
)

def _validate_params(self) -> None:
validator: ParameterValidator = ParameterValidator(self.soar_action)
validator.validate_json(param_name="Request JSON", json_string=self.params.request_json)

def _perform_action(self, _=None) -> None:
request_json = yaml.safe_load(self.params.request_json)
added_by = self.params.added_by
self.json_results = self.api_client.create_anomaly_exception(request_json=request_json, added_by=added_by)
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Since this action assigns a value to self.json_results, a corresponding JSON example file must be provided in the resources/ directory following the naming convention: resources/create_anomaly_exc_JsonResult_example.json.

References
  1. If a JSON result is detected, a corresponding JSON example file must exist in the integration's resources/ directory. (link)



def main() -> None:
CreateAnomalyException().run()


if __name__ == "__main__":
main()
17 changes: 17 additions & 0 deletions ...sponse_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
creator: admin
description: Create an exception for Anomaly Security Tool.
dynamic_results_metadata: []
integration_identifier: CheckPointHEC
name: Create Anomaly Exception
parameters:
- default_value: '{}'
description: Anomaly exception request in JSON format.
is_mandatory: true
name: Request JSON
type: string
- default_value: ''
description: User id exception creator
is_mandatory: false
name: Added By
type: string
script_result_name: is_success
170 changes: 170 additions & 0 deletions content/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
from ..core.base_action import BaseAction
from ..core.constants import CREATE_AP_EXC_SCRIPT_NAME

SUCCESS_MESSAGE: str = "Successfully created Anti-Phishing exception!"
ERROR_MESSAGE: str = "Failed creating Anti-Phishing exception!"


class CreateAPException(BaseAction):

def __init__(self) -> None:
super().__init__(CREATE_AP_EXC_SCRIPT_NAME)
self.output_message: str = SUCCESS_MESSAGE
self.error_output_message: str = ERROR_MESSAGE

def _extract_action_parameters(self) -> None:
self.params.exception_type = self.soar_action.extract_action_param(
param_name="Exception Type",
print_value=True,
is_mandatory=True,
default_value=None,
)
self.params.entity_id = self.soar_action.extract_action_param(
param_name="Entity ID",
print_value=True,
is_mandatory=False
)
self.params.attachment_md5 = self.soar_action.extract_action_param(
param_name="Attachment MD5",
print_value=True,
is_mandatory=False
)
self.params.from_email = self.soar_action.extract_action_param(
param_name="From Email",
print_value=True,
is_mandatory=False
)
self.params.nickname = self.soar_action.extract_action_param(
param_name="Nickname",
print_value=True,
is_mandatory=False
)
self.params.recipient = self.soar_action.extract_action_param(
param_name="Recipient",
print_value=True,
is_mandatory=False
)
self.params.sender_client_ip = self.soar_action.extract_action_param(
param_name="Sender Client IP",
print_value=True,
is_mandatory=False
)
self.params.from_domain_ends_with = self.soar_action.extract_action_param(
param_name="From Domain Ends With",
print_value=True,
is_mandatory=False
)
self.params.sender_ip = self.soar_action.extract_action_param(
param_name="Sender IP",
print_value=True,
is_mandatory=False
)
self.params.email_link = self.soar_action.extract_action_param(
param_name="Email Link",
print_value=True,
is_mandatory=False
)
self.params.subject = self.soar_action.extract_action_param(
param_name="Subject",
print_value=True,
is_mandatory=False
)
self.params.comment = self.soar_action.extract_action_param(
param_name="Comment",
print_value=True,
is_mandatory=False
)
self.params.action_needed = self.soar_action.extract_action_param(
param_name="Action Needed",
print_value=True,
is_mandatory=False
)
self.params.ignoring_spf_check = self.soar_action.extract_action_param(
param_name="Ignoring SPF Check",
print_value=True,
is_mandatory=False,
input_type=bool
)
self.params.subject_matching = self.soar_action.extract_action_param(
param_name="Subject Matching",
print_value=True,
is_mandatory=False
)
self.params.email_link_matching = self.soar_action.extract_action_param(
param_name="Email Link Matching",
print_value=True,
is_mandatory=False
)
self.params.from_name_matching = self.soar_action.extract_action_param(
param_name="From Name Matching",
print_value=True,
is_mandatory=False
)
self.params.from_domain_matching = self.soar_action.extract_action_param(
param_name="From Domain Matching",
print_value=True,
is_mandatory=False
)
self.params.from_email_matching = self.soar_action.extract_action_param(
param_name="From Email Matching",
print_value=True,
is_mandatory=False
)
self.params.recipient_matching = self.soar_action.extract_action_param(
param_name="Recipient Matching",
print_value=True,
is_mandatory=False
)

def _perform_action(self, _=None) -> None:
exception_type = self.params.exception_type
entity_id = self.params.entity_id
attachment_md5 = self.params.attachment_md5
from_email = self.params.from_email
nickname = self.params.nickname
recipient = self.params.recipient
sender_client_ip = self.params.sender_client_ip
from_domain_ends_with = self.params.from_domain_ends_with
sender_ip = self.params.sender_ip
email_link = self.params.email_link
subject = self.params.subject
comment = self.params.comment
action_needed = self.params.action_needed
ignoring_spf_check = self.params.ignoring_spf_check
subject_matching = self.params.subject_matching
email_link_matching = self.params.email_link_matching
from_name_matching = self.params.from_name_matching
from_domain_matching = self.params.from_domain_matching
from_email_matching = self.params.from_email_matching
recipient_matching = self.params.recipient_matching

exception = {
"entityId": entity_id,
"attachmentMd5": attachment_md5,
"senderEmail": from_email,
"senderName": nickname,
"recipient": recipient,
"senderClientIp": sender_client_ip,
"senderDomain": from_domain_ends_with,
"senderIp": sender_ip,
"linkDomains": email_link,
"subject": subject,
"comment": comment,
"actionNeeded": action_needed,
"ignoringSpfCheck": ignoring_spf_check,
"subjectMatching": subject_matching,
"linkDomainMatching": email_link_matching,
"senderNameMatching": from_name_matching,
"senderDomainMatching": from_domain_matching,
"senderEmailMatching": from_email_matching,
"recipientMatching": recipient_matching,
}
self.api_client.create_ap_exception(exception_type, exception)


def main() -> None:
CreateAPException().run()


if __name__ == "__main__":
main()
135 changes: 135 additions & 0 deletions ...nt/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
creator: admin
description: Create an exception for Anti-Phishing or Anti-Spam Security Tool.
dynamic_results_metadata: []
integration_identifier: CheckPointHEC
name: Create Anti-Phishing Exception
parameters:
- default_value: ''
description: Anti-Phishing or Anti-Spam exception type.
is_mandatory: true
name: Exception Type
type: ddl
optional_values:
- whitelist
- blacklist
- spam_whitelist
- default_value: ''
description: Entity ID.
is_mandatory: false
name: Entity ID
type: string
- default_value: ''
description: File attachment MD5 checksum.
is_mandatory: false
name: Attachment MD5
type: string
- default_value: ''
description: Sender email.
is_mandatory: false
name: From Email
type: string
- default_value: ''
description: Sender name.
is_mandatory: false
name: Sender Name
type: string
- default_value: ''
description: Email recipient.
is_mandatory: false
name: Recipient Email
type: string
- default_value: ''
description: Sender client IP.
is_mandatory: false
name: Sender Client IP
type: string
- default_value: ''
description: From domain ends with.
is_mandatory: false
name: From Domain Ends With
type: string
- default_value: ''
description: Sender IP.
is_mandatory: false
name: Sender IP
type: string
- default_value: ''
description: Email link or links separated by comma.
is_mandatory: false
name: Email Link
type: string
- default_value: ''
description: Email subject.
is_mandatory: false
name: Subject
type: string
- default_value: ''
description: Exception comment.
is_mandatory: false
name: Comment
type: string
- default_value: ''
description: Action needed.
is_mandatory: false
name: Action Needed
type: string
- default_value: false
description: Ignoring SPF check.
is_mandatory: false
name: Ignoring SPF Check
type: boolean
- default_value: ''
description: Subject field condition.
is_mandatory: false
name: Subject Matching
type: ddl
optional_values:
- matching
- contains
- exact
- default_value: ''
description: Email link field condition.
is_mandatory: false
name: Email Link Matching
type: ddl
optional_values:
- matching
- contains
- exact
- default_value: ''
description: From name field condition.
is_mandatory: false
name: From Name Matching
type: ddl
optional_values:
- matching
- contains
- exact
- default_value: ''
description: From domain field condition.
is_mandatory: false
name: From Domain Matching
type: ddl
optional_values:
- contains
- ends_with
- exact
- default_value: ''
description: From email field condition.
is_mandatory: false
name: From Email Matching
type: ddl
optional_values:
- matching
- contains
- exact
- default_value: ''
description: Recipient field condition.
is_mandatory: false
name: Recipient Matching
type: ddl
optional_values:
- matching
- contains
- exact
script_result_name: is_success
24 changes: 24 additions & 0 deletions ...t/response_integrations/third_party/community/check_point_hec/actions/create_avdlp_exc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
from ..core.create_sectool_exc import CreateSectoolException
from ..core.constants import AVANAN_DLP_SAAS_NAME, CREATE_AVDLP_EXC_SCRIPT_NAME

SUCCESS_MESSAGE: str = "Successfully created Avanan DLP exception!"
ERROR_MESSAGE: str = "Failed creating Avanan DLP exception!"


class CreateAVDLPException(CreateSectoolException):

def __init__(self) -> None:
super().__init__(
name=CREATE_AVDLP_EXC_SCRIPT_NAME,
output_message=SUCCESS_MESSAGE,
error_output=ERROR_MESSAGE,
sectool_name=AVANAN_DLP_SAAS_NAME
)


def main() -> None:
CreateAVDLPException().run()


if __name__ == "__main__":
main()
Loading