Summary
In order for the Check Point MDR team to monitor your Harmony Endpoint Threat Hunting data we will require integration with your Check Point Infinity Portal.
Important Note: Prior to completing these steps, your Threat Hunting policy should be enabled, licensed, and configured. Check In this link to confirm:
If you require assistance in completing the configuration of your Harmony Endpoint service please contact your Security Engineer.
If you need any assistance with this procedure, please create a ticket in the MDR Portal in the "MDR Support" section or if you are currently Onboarding, reply to your Welcome Email, and we will assist you in a timely manner.
*Note: We will need these three items filled in on the MDR Portal profile page when adding the integration also ensure the procedure outlined below is completed before adding:
- Client ID
- Client Secret (Key)
- Client (Authentication) URL
Required: Adding MDR SOC Access
Before submitting the integration on the MDR Portal please add Daniel Green danielgree@checkpoint.com to your Harmony Endpoint user pool. This is our SOC manager, he requires this access to do the following:
- He will add the MDR SOC team to your tenant as read only so that they can fully investigate malicious alerts seen from your environment.
STEPS:
- Select the Gear Icon>Users and select New in the toolbar.
- In the Name field, enter a user name. Daniel Green
- In the Email field, enter the new user's email address. danielgree@checkpoint.com
- In the Global Roles field, select the roles for the new user from the list. You can select multiple roles for each user. Please select "Admin"
- Click Add to save.
Procedure
1) Log in to your Check Point Infinity Portal
2) Select the gear Icon by your Tenant name
*Note: If you have more than one tenant ensure the correct tenant ID is selected in the drop down. Select the Gear icon and "General"
3) Select API Keys
4) Click New.
5) Select New account API Key
6) Under the required Service field, find and select "Threat Hunting"
7) Add a description such as MDR Threat Hunting and create.
8) These are the credentials used in the Harmony Endpoint integration located in your MDR Portal in the MDR Profile section. Please copy the Client ID, Secret Key, and Authentication URL for use in the Harmony Endpoint integration. Please note, we will not require the cURL.
9) For a new integration, click the + sign in the Harmony Endpoint in your MDR Profile and insert the Client ID, Secret Key, and Authentication URL. Add an Instance Name for this integration if needed (ex: "Threat Hunting Main Office") and Save.
For an existing integration, click on the green Key symbol in your Harmony Endpoint integration. This will be located in the Implemented Integrations section of your MDR Profile. Insert the Client ID, Secret Key, and Authentication URL. You can also add an Instance Name if needed and Save.
For Customers with the Pay-As-You-Go SKU: You will also need to configure MDR Remediations (Host Isolation) when adding Harmony Endpoint. To complete this, please follow the steps in the guide linked below.
*Note: Please ensure that Threat Hunting policy is configured and enabled. This guide article will assist in confirming: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Common-Topics/Threat-Hunting.htm