[New Integration] Check Point Harmony Email & Collaboration

[cpascale43]

Description

Check Point's Harmony Email & Collaboration monitors traffic across email platforms (Office 365, Gmail); file sharing services (OneDrive, SharePoint, Google Drive, Dropbox, Box, and Citrix ShareFile) and messaging applications (Teams and Slack). It scans emails, files, and messages for malware, DLP and phishing indicators, and intercepts & quarantines potentially malicious emails before they are delivered.

The Elastic integration should ingest security events from each service, enabling users to correlate email and collaboration threats with other security events across their organization's environment.

Refer to the Admin guide for more details: https://sc1.checkpoint.com/documents/Harmony_Email_and_Collaboration/Topics-Harmony-Email-Collaboration-Admin-Guide/Introduction.htm

Dashboard Ideas

Some built-in dashboards could be:

1. Overview
   • Pie chart showing distribution of threats across different email, file sharing and messaging applications
   • Line graph displaying the trend of threats over time
2. Email Security
   • Bar chart or table view of top email threat types (e.g. phishing, malware, spam)
   • Geographical map showing the origin of email threats
3. File Sharing Security
   • Table view of file sharing activities, i.e. uploads, downloads and sharing events
   • Chart showing the distribution of file types involved in security incidents
4. Messaging Application Security
   • List of top risky conversations or channels
   • Timeline of security events in messaging applications
5. DLP
   • Summary of DLP policy violations across applications
   • Chart showing types of sensitive data involved in DLP incidents

Architecture

Security event logs can be fetched via the Email & Collaboration Smart API.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency when creating or updating a Package, Module or Dataset for an Integration.

All changes

• [ ] Change follows the contributing guidelines
• [ ] Supported versions of the monitoring target are documented
• [ ] Supported operating systems are documented (if applicable)
• [ ] Integration or System tests exist
• [ ] Documentation exists, useful guidelines to follow
• [ ] Fields follow ECS and naming conventions
• [ ] At least a manual test with ES / Kibana / Agent has been performed.
• [ ] Required Kibana version set to:

Requested by:

• https://github.com/elastic/enhancements/issues/20315
• https://github.com/elastic/enhancements/issues/20256
• https://github.com/elastic/enhancements/issues/20206
• https://github.com/elastic/enhancements/issues/19836

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)