Check Point Exposure Management - Alert Ingestion Anomaly
| Id | 8d3b9c7e-5a2f-4e1d-b6c8-3f9a7e2d1b4c |
| Rulename | Check Point Exposure Management - Alert Ingestion Anomaly |
| Description | Detects when no Check Point Exposure Management alerts have been ingested into the argsentdc_CL table for an extended period. This may indicate a failure in the CCP data connector or the Importer playbook, a misconfigured API token, or network connectivity issues. |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1562 |
| Required data connectors | CheckPointCyberintAlerts |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 24h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Check Point Cyberint Alerts/Analytic Rules/CPEMAlertIngestionAnomaly.yaml |
| Version | 1.0.0 |
| Arm template | 8d3b9c7e-5a2f-4e1d-b6c8-3f9a7e2d1b4c.json |
let lookback = 24h;
let expected_interval = 1h;
let last_record = toscalar(
argsentdc_CL
| where TimeGenerated > ago(lookback)
| summarize max(TimeGenerated)
);
let gap_minutes = datetime_diff('minute', now(), last_record);
// Alert if no records in the last expected_interval, but there WERE records in the lookback period
// (avoids alerting on brand-new deployments with no data yet)
argsentdc_CL
| where TimeGenerated > ago(lookback)
| summarize
LastIngestionTime = max(TimeGenerated),
TotalRecords = count(),
DistinctAlerts = dcount(ref_id)
| where LastIngestionTime < ago(expected_interval)
| extend GapMinutes = datetime_diff('minute', now(), LastIngestionTime)
| project
LastIngestionTime,
GapMinutes,
TotalRecords,
DistinctAlerts,
Message = strcat("No Check Point Exposure Management alerts ingested for ", GapMinutes, " minutes. Last record at ", LastIngestionTime)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Check Point Cyberint Alerts/Analytic Rules/CPEMAlertIngestionAnomaly.yaml
queryPeriod: 24h
description: |
Detects when no Check Point Exposure Management alerts have been ingested into the argsentdc_CL table
for an extended period. This may indicate a failure in the CCP data connector or the
Importer playbook, a misconfigured API token, or network connectivity issues.
triggerThreshold: 0
name: Check Point Exposure Management - Alert Ingestion Anomaly
triggerOperator: gt
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: false
lookbackDuration: 24h
kind: Scheduled
requiredDataConnectors:
- connectorId: CheckPointCyberintAlerts
dataTypes:
- argsentdc_CL
eventGroupingSettings:
aggregationKind: SingleAlert
suppressionDuration: 5h
queryFrequency: 1h
suppressionEnabled: false
tactics:
- DefenseEvasion
id: 8d3b9c7e-5a2f-4e1d-b6c8-3f9a7e2d1b4c
status: Available
version: 1.0.0
query: |
let lookback = 24h;
let expected_interval = 1h;
let last_record = toscalar(
argsentdc_CL
| where TimeGenerated > ago(lookback)
| summarize max(TimeGenerated)
);
let gap_minutes = datetime_diff('minute', now(), last_record);
// Alert if no records in the last expected_interval, but there WERE records in the lookback period
// (avoids alerting on brand-new deployments with no data yet)
argsentdc_CL
| where TimeGenerated > ago(lookback)
| summarize
LastIngestionTime = max(TimeGenerated),
TotalRecords = count(),
DistinctAlerts = dcount(ref_id)
| where LastIngestionTime < ago(expected_interval)
| extend GapMinutes = datetime_diff('minute', now(), LastIngestionTime)
| project
LastIngestionTime,
GapMinutes,
TotalRecords,
DistinctAlerts,
Message = strcat("No Check Point Exposure Management alerts ingested for ", GapMinutes, " minutes. Last record at ", LastIngestionTime)
alertDetailsOverride:
alertDescriptionFormat: '{{Message}}'
alertDisplayNameFormat: Check Point Exposure Management - Ingestion gap detected ({{GapMinutes}} minutes)
severity: Medium
relevantTechniques:
- T1562