CheckPointHEC
README
Check Point Harmony Email & Collaboration (HEC) Analyzers
Query the Check Point Harmony Email & Collaboration platform to retrieve security verdicts, phishing classification, and scan results for emails.
Pre-requisites
- A Check Point Infinity Portal account with Harmony Email & Collaboration enabled.
- An Account API Key (Client ID + Secret Key) created in the Infinity Portal:
- Navigate to Global Settings > API Keys.
- Create a key scoped to Email & Collaboration.
- Note: User API keys are not supported — only account-level keys work with the HEC search API.
Configuration
| Parameter |
Description |
Required |
Default |
client_id |
Infinity Portal API Client ID |
Yes |
— |
client_secret |
Infinity Portal API Secret Key |
Yes |
— |
region |
Portal region: us, eu, ca, au, uk, uae, in, sg |
Yes |
eu |
saas |
SaaS platform to query: office365_emails or google_mail |
Yes |
office365_emails |
Analyzers Overview
1. SearchEmail
- Observable type:
file (.eml)
- Description: Extracts the Message-ID from an .eml file, searches for the email in HEC, and returns full details including security verdicts, email metadata, links, and status flags.
Forwarded email handling
When emails are reported by users to a security mailbox and then imported into TheHive, the .eml is typically a forwarded envelope where the reporter appears as the sender. This analyzer automatically detects if the .eml contains an attached original email (message/rfc822 MIME part) and extracts the Message-ID from the inner message instead. If no inner message is found, it falls back to the outer envelope's Message-ID. This requires no configuration — it works transparently.
Report includes
- Email metadata: subject, sender, recipients, date, size, attachments
- Sender IPs (server and client)
- Email status: direction, quarantined, restored, deleted, user exposed
- Security verdicts from all engines: Anti-Phishing, Anti-Virus, DLP, Click-Time Protection, Shadow IT
- Anti-Phishing scan details with detection reasons
- SPF result and SaaS spam verdict
- Email links and link domains
- Available actions and action history
- Sender email address (
mail)
- Sender domain (
domain)
- Sender server and client IPs (
ip)
- URLs found in the email (
url)
- Link domains (
domain)
All artifacts are tagged with the HEC verdict (e.g. CPHEC:verdict=phishing).
2. SearchBySender
- Observable type:
mail or file (.eml)
- Description: Searches HEC for all emails from a given sender address. Returns a count, verdict breakdown, and a list of all matching emails with their verdicts and status. When run on an .eml file, the sender address is extracted automatically (with forwarded email unwrapping).
Useful for assessing whether a sender is a repeat offender or broadly compromised.
3. SearchByDomain
- Observable type:
domain or file (.eml)
- Description: Searches HEC for all emails from a given sender domain. Returns the same result structure as SearchBySender. When run on an .eml file, the sender domain is extracted automatically (with forwarded email unwrapping).
Useful for evaluating domain-level reputation across the mailbox estate.
4. SearchByURL
- Observable type:
url
- Description: Searches HEC for all emails containing a specific URL. Returns matching emails with their verdicts and exposure status.
Critical during phishing campaigns to gauge blast radius — how many users received an email with that link, how many read it, how many are still exposed.
5. SearchBySenderIP
- Observable type:
ip or file (.eml)
- Description: Searches HEC for all emails sent from a given server IP. When run on an .eml file, the sender IP is extracted from the first
Received header (with forwarded email unwrapping), skipping private IPs when possible.
Useful when sender addresses rotate but the sending infrastructure stays the same.
Resources
CheckPointHEC_SearchByURL
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- url
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.checkpoint.com/harmony/email-security/
Description
Search for all emails containing a specific URL in Check Point Harmony Email & Collaboration and retrieve their security verdicts.
Configuration
| client_id |
Check Point Infinity Portal API Client ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| client_secret |
Check Point Infinity Portal API Secret Key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| region |
Check Point HEC region: us, eu, ca, au, uk, uae, in, sg |
| Default value if not configured |
eu |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| saas |
SaaS platform to query: office365_emails or google_mail |
| Default value if not configured |
office365_emails |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| portal_url |
Check Point HEC portal base URL for direct links (eg https://COMPANYID.checkpointcloudsec.com). Optional. |
| Default value if not configured |
__ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
Templates samples for TheHive
No template samples to display.
CheckPointHEC_SearchByDomain
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- domain
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.checkpoint.com/harmony/email-security/
Description
Search for all emails from a sender domain in Check Point Harmony Email & Collaboration. Accepts a domain observable or an .eml file (sender domain is extracted automatically, with forwarded email support).
Configuration
| client_id |
Check Point Infinity Portal API Client ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| client_secret |
Check Point Infinity Portal API Secret Key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| region |
Check Point HEC region: us, eu, ca, au, uk, uae, in, sg |
| Default value if not configured |
eu |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| saas |
SaaS platform to query: office365_emails or google_mail |
| Default value if not configured |
office365_emails |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| portal_url |
Check Point HEC portal base URL for direct links (eg https://COMPANYID.checkpointcloudsec.com). Optional. |
| Default value if not configured |
__ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
Templates samples for TheHive
No template samples to display.
CheckPointHEC_SearchEmail
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
- other
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.checkpoint.com/harmony/email-security/
Description
Search for an email in Check Point Harmony Email & Collaboration and retrieve its security verdict, phishing confidence, classification and scan results. Accepts an .eml file or a Message-ID as an 'other' observable.
Configuration
| client_id |
Check Point Infinity Portal API Client ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| client_secret |
Check Point Infinity Portal API Secret Key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| region |
Check Point HEC region: us, eu, ca, au, uk, uae, in, sg |
| Default value if not configured |
eu |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| saas |
SaaS platform to query: office365_emails or google_mail |
| Default value if not configured |
office365_emails |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| portal_url |
Check Point HEC portal base URL for direct links (eg https://COMPANYID.checkpointcloudsec.com). Optional. |
| Default value if not configured |
__ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
Templates samples for TheHive
No template samples to display.
CheckPointHEC_SearchBySender
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- mail
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.checkpoint.com/harmony/email-security/
Description
Search for all emails from a sender address in Check Point Harmony Email & Collaboration. Accepts a mail observable or an .eml file (sender is extracted automatically, with forwarded email support).
Configuration
| client_id |
Check Point Infinity Portal API Client ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| client_secret |
Check Point Infinity Portal API Secret Key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| region |
Check Point HEC region: us, eu, ca, au, uk, uae, in, sg |
| Default value if not configured |
eu |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| saas |
SaaS platform to query: office365_emails or google_mail |
| Default value if not configured |
office365_emails |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| portal_url |
Check Point HEC portal base URL for direct links (eg https://COMPANYID.checkpointcloudsec.com). Optional. |
| Default value if not configured |
__ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
Templates samples for TheHive
No template samples to display.
CheckPointHEC_SearchBySenderIP
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- ip
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.checkpoint.com/harmony/email-security/
Description
Search for all emails from a sender IP in Check Point Harmony Email & Collaboration. Accepts an IP observable or an .eml file (sender IP is extracted from Received headers, with forwarded email support).
Configuration
| client_id |
Check Point Infinity Portal API Client ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| client_secret |
Check Point Infinity Portal API Secret Key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| region |
Check Point HEC region: us, eu, ca, au, uk, uae, in, sg |
| Default value if not configured |
eu |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| saas |
SaaS platform to query: office365_emails or google_mail |
| Default value if not configured |
office365_emails |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| portal_url |
Check Point HEC portal base URL for direct links (eg https://COMPANYID.checkpointcloudsec.com). Optional. |
| Default value if not configured |
__ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
Templates samples for TheHive
No template samples to display.