Checkpoint Harmony and Email Collaboration Integration

.github/CODEOWNERS

@@ -592,6 +592,11 @@ plaid/assets/logs/                                                  @DataDog/saa
 /bitwarden/manifest.json                                             @DataDog/saas-integrations @DataDog/documentation
 /bitwarden/assets/logs/                                              @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
 
+/cp_harmony_ec/                                                      @DataDog/agent-integrations
+/cp_harmony_ec/*.md                                                  @DataDog/agent-integrations @DataDog/documentation
+/cp_harmony_ec/manifest.json                                         @DataDog/agent-integrations @DataDog/documentation
+/cp_harmony_ec/assets/logs/                                          @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core
+
 /klaviyo/                                                            @DataDog/saas-integrations
 /klaviyo/*.md                                                        @DataDog/saas-integrations @DataDog/documentation
 /klaviyo/manifest.json                                               @DataDog/saas-integrations @DataDog/documentation

.github/workflows/config/labeler.yml

@@ -743,6 +743,8 @@ integration/zero_networks:
 - zero_networks/**/*
 integration/zk:
 - zk/**/*
+integration/cp_harmony_ec:
+- cp_harmony_ec/**/*
 qa/skip-qa:
 - '**/__about__.py'
 - requirements-agent-release.txt

cp_harmony_ec/CHANGELOG.md

@@ -0,0 +1,4 @@
+# CHANGELOG - cp_harmony_ec
+
+<!-- towncrier release notes start -->
+

cp_harmony_ec/README.md

@@ -0,0 +1,59 @@
+# Agent Check: cp_harmony_ec
+
+[Checkpoint Harmony Email and Collaboration][1] specializes in cybersecurity for cloud-based communication platforms by providing advanced protection for email and collaboration tools such as Microsoft 365 and Google Workspace. By analyzing email content, user behavior, and threat indicators, Harmony enables features like phishing prevention, malware detection, and data leak protection. This functionality is crucial for safeguarding sensitive information, ensuring business continuity, and enhancing organizational security posture.
+
+## Overview
+
+Here are some insights that can be drawn from the dashboard:
+
+- **Threat Activity Trends**: Monitor types of threats and suspicious email behavior over time.
+Targeted User Analysis: Identify and track the most frequently targeted users.
+- **Sender Insights**: Analyze top sender IP addresses and domains to detect recurring threat sources.
+- **Log Volume Breakdown**: View log volume segmented by matched security tools and verdicts.
+- **Confidence Level Monitoring**: Track trends in detection confidence levels to assess alert reliability.
+- **Domain-Level Analytics**: Examine log volume by customer domain for focused security insights.
+- **Behavioral Monitoring**: Evaluate user and domain behaviors to identify anomalies and potential threats.
+
+## Setup
+
+Set up the [Datadog Forwarder][2].
+
+Configure an [AWS S3 bucket to receive logs][3].
+
+### Installation
+
+The Datadog Agent need not be installed for this integration.
+
+### Configuration
+
+**Configuring the Checkpoint Harmony Email and Collaboration platform to send logs to your S3 bucket**
+- Refer to this [link][4] to more on this.
+
+### Validation
+
+Once the configuration is done, you can validate it by confirming if the logs are being ingested in Datadog Platform.
+
+## Data Collected
+
+### Metrics
+
+cp_harmony_ec does not include any metrics.
+
+### Events
+
+The cp_harmony_ec integration does not include any events.
+
+### Service Checks
+
+The cp_harmony_ec integration does not include any service checks.
+
+## Troubleshooting
+
+Need help? Contact [Datadog support][5].
+
+
+[1]: https://www.checkpoint.com/harmony/email-security/
+[2]: https://docs.datadoghq.com/logs/guide/forwarder/?tab=cloudformation
+[3]: https://sc1.checkpoint.com/documents/Harmony_Email_and_Collaboration/Topics-Harmony-Email-Collaboration-Admin-Guide/Managing-Security-Events/SIEM.htm#Configuring_AWS_S3_to_Receive_Harmony_Email_&_Collaboration_Logs
+[4]: https://sc1.checkpoint.com/documents/Harmony_Email_and_Collaboration/Topics-Harmony-Email-Collaboration-Admin-Guide/Managing-Security-Events/SIEM.htm#Configuring%20SIEM%20Integration
+[5]: https://docs.datadoghq.com/help/

cp_harmony_ec/assets/configuration/spec.yaml

@@ -0,0 +1,10 @@
+name: cp_harmony_ec
+files:
+- name: cp_harmony_ec.yaml
+  options:
+  - template: init_config
+    options:
+    - template: init_config/default
+  - template: instances
+    options:
+    - template: instances/default

cp_harmony_ec/assets/dashboards/cp_harmony_ec_overview.json

@@ -0,0 +1 @@
+{"title":"Checkpoint Harmony Email & Collaboration","description":"[[suggested_dashboards]]","widgets":[{"id":8836026268833507,"definition":{"type":"image","url":"https://blog.checkpoint.com/wp-content/uploads/2023/04/harmony-e-c-logo.png","sizing":"cover","has_background":true,"has_border":true,"vertical_align":"center","horizontal_align":"center"},"layout":{"x":0,"y":0,"width":6,"height":2}},{"id":7993998898478218,"definition":{"title":"Overview","background_color":"vivid_purple","show_title":true,"type":"group","layout_type":"ordered","widgets":[{"id":3825647889435396,"definition":{"title":"Total Number Of Harmony Email Logs","title_size":"16","title_align":"left","type":"query_value","requests":[{"formulas":[{"formula":"query1"}],"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.security_event.entity_info.customer_oem:\"checkpoint\""},"indexes":["*"],"group_by":[],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar"}],"autoscale":true,"precision":2},"layout":{"x":0,"y":0,"width":3,"height":3}},{"id":7874962150014080,"definition":{"title":"Log Distribution Of Entity Sub Types","title_size":"16","title_align":"left","requests":[{"response_format":"scalar","queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.security_event.entity_info.customer_oem:\"checkpoint\""},"indexes":["*"],"group_by":[{"facet":"@event.security_event.entity_info.entity_sub_type","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"style":{"palette":"datadog16"},"formulas":[{"formula":"query1"}],"sort":{"count":10,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"type":"sunburst","legend":{"type":"automatic"}},"layout":{"x":3,"y":0,"width":3,"height":3}},{"id":6192730663112163,"definition":{"title":"Count Of Different Sub Types Of Logs Across Time Period","title_size":"16","title_align":"left","show_legend":true,"legend_layout":"horizontal","legend_columns":["avg","min","max","value","sum"],"type":"timeseries","requests":[{"formulas":[{"formula":"query1"}],"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.security_event.entity_info.entity_sub_type","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"event.security_event.entity_info.entity_sub_type"},"should_exclude_missing":true}],"compute":{"aggregation":"count","metric":"event.security_event.entity_info.entity_sub_type"},"storage":"hot"}],"response_format":"timeseries","style":{"palette":"dog_classic","line_type":"solid","line_width":"normal"},"display_type":"line"}],"yaxis":{"scale":"linear","label":"","include_zero":true,"min":"auto","max":"auto"},"markers":[]},"layout":{"x":0,"y":3,"width":6,"height":4}},{"id":6321536884737271,"definition":{"title":"Total Count Of Logs Over Time ","title_size":"16","title_align":"left","show_legend":false,"legend_layout":"auto","legend_columns":["avg","min","max","value","sum"],"type":"timeseries","requests":[{"formulas":[{"alias":"Logs","formula":"query2"}],"queries":[{"name":"query2","data_source":"logs","search":{"query":"source:s3"},"indexes":["*"],"group_by":[],"compute":{"aggregation":"count","metric":"@event.entity.entity_info.customer_oem:\"Check Point\""},"storage":"hot"}],"response_format":"timeseries","style":{"palette":"dog_classic","line_type":"solid","line_width":"normal"},"display_type":"bars"}],"custom_links":[]},"layout":{"x":0,"y":7,"width":6,"height":4}}]},"layout":{"x":6,"y":0,"width":6,"height":12}},{"id":4093866487878199,"definition":{"type":"note","content":"**Harmony Email & Collaboration** is a cloud security solution developed by **Check Point Software Technologies**. It's designed to protect organisations from advanced email-borne threats, collaboration tool exploits, and phishing attacks. This service is part of Check Point’s broader **Harmony security suite**, which focuses on securing users and access points.","background_color":"orange","font_size":"14","text_align":"left","vertical_align":"center","show_tick":true,"tick_pos":"50%","tick_edge":"top","has_padding":true},"layout":{"x":0,"y":2,"width":6,"height":2}},{"id":1456755065968274,"definition":{"title":"Harmony Email Logs","title_size":"16","title_align":"left","requests":[{"response_format":"event_list","query":{"data_source":"logs_stream","query_string":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\"","indexes":[],"storage":"hot"},"columns":[{"field":"status_line","width":"auto"},{"field":"timestamp","width":"auto"},{"field":"host","width":"auto"},{"field":"service","width":"auto"},{"field":"content","width":"compact"}]}],"type":"list_stream"},"layout":{"x":0,"y":4,"width":6,"height":4}},{"id":863995327645427,"definition":{"title":"Log Distribution Based On Verdict","title_size":"16","title_align":"left","requests":[{"response_format":"scalar","queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.entity_security_result.findings_summary.verdict","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"style":{"palette":"datadog16"},"formulas":[{"formula":"query1"}],"sort":{"count":10,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"type":"sunburst","legend":{"type":"automatic"}},"layout":{"x":0,"y":8,"width":6,"height":4}},{"id":4975462564253324,"definition":{"title":"Threat Insights","title_align":"center","background_color":"vivid_orange","show_title":true,"type":"group","layout_type":"ordered","widgets":[{"id":8931215491222340,"definition":{"type":"note","content":"The following widgets provide a detailed, actionable view of the email security landscape:\n\n-   **Volume of Events by Matched Security Tool:** Displays the number of threats detected by each integrated security tool, helping identify the most active defenses.\n\n-   **Confidence Level Trends Over Time:** Tracks the system’s confidence in detecting threats over time, highlighting any changes in detection reliability.\n\n-   **Events per Policy Rule ID:** Breaks down security events by specific policy rules, helping optimize email security policies based on threat trends.","background_color":"orange","font_size":"14","text_align":"left","vertical_align":"center","show_tick":true,"tick_pos":"50%","tick_edge":"top","has_padding":true},"layout":{"x":0,"y":0,"width":7,"height":2}},{"id":8463520283531992,"definition":{"title":"Volume Of Logs By Matched Security Tool","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.security_event.entity_payload.matched_security_tool","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":10,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":7,"y":0,"width":5,"height":3}},{"id":8270078606174810,"definition":{"title":"Logs Per Policy Rule ID","title_size":"16","title_align":"left","requests":[{"response_format":"event_list","query":{"data_source":"logs_transaction_stream","query_string":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\"","indexes":[],"group_by":[{"facet":"@event.security_event.entity_payload.policy_rule_id"}],"compute":[{"facet":"count","aggregation":"count"}],"storage":"hot"},"columns":[{"field":"group_by","width":"auto"},{"field":"timeline","width":"auto"},{"field":"max_severity","width":"auto"},{"field":"count:count","width":"auto"}]}],"type":"list_stream"},"layout":{"x":0,"y":2,"width":7,"height":4}},{"id":4217704201707174,"definition":{"title":"Confidence Level Trends Over Time","title_size":"16","title_align":"left","show_legend":false,"legend_layout":"auto","legend_columns":["avg","min","max","value","sum"],"type":"timeseries","requests":[{"formulas":[{"alias":"Confidence","formula":"query1"}],"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.security_event.entity_payload.confidence_level","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"timeseries","style":{"palette":"dog_classic","order_by":"values","line_type":"solid","line_width":"normal"},"display_type":"line"}]},"layout":{"x":7,"y":3,"width":5,"height":3}}]},"layout":{"x":0,"y":12,"width":12,"height":7,"is_column_break":true}},{"id":8847248388408997,"definition":{"title":"User & Domain Activity","title_align":"center","background_color":"vivid_orange","show_title":true,"type":"group","layout_type":"ordered","widgets":[{"id":6732160704211971,"definition":{"type":"note","content":"The following widgets provide a detailed, actionable view of the email security landscape:\n\n-   **Top Sender Domains:** Displays the most frequent email domains sending messages to the organization, highlighting potential sources of spam or malicious content.\n\n-   **Top Sender IPs:** Identifies the top IP addresses sending emails, helping to detect suspicious or unauthorized sources.\n\n-   **Top Targeted Users:** Lists the users who receive the highest volume of suspicious or targeted emails, aiding in identifying potential internal threats.\n\n-   **Event Volume by Customer Domain:** Shows the volume of security events originating from different customer domains, helping to assess the security posture across external partnerships.","background_color":"orange","font_size":"14","text_align":"left","vertical_align":"center","show_tick":true,"tick_pos":"50%","tick_edge":"top","has_padding":true},"layout":{"x":0,"y":0,"width":6,"height":2}},{"id":2665392346033412,"definition":{"title":"Top Sender Domains","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.entity_payload.from_domain","limit":15,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":15,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":6,"y":0,"width":6,"height":3}},{"id":5002809591961022,"definition":{"title":"Top Sender IPs","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.entity_payload.sender_server_ip","limit":15,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":15,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":0,"y":2,"width":6,"height":2}},{"id":4555049744646829,"definition":{"title":"Volume By Customer Domain","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.entity_info.customer_domain","limit":15,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":15,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":6,"y":3,"width":6,"height":3}},{"id":2111249869047077,"definition":{"title":"Most Targeted Users ","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.saas_info.saas_actor_id","limit":15,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":15,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":0,"y":4,"width":6,"height":2}}]},"layout":{"x":0,"y":19,"width":12,"height":7}}],"template_variables":[],"layout_type":"ordered","notify_list":[],"reflow_type":"fixed"}

cp_harmony_ec/assets/logs/cp-harmony-ec.yaml

@@ -0,0 +1,80 @@
+id: cp-harmony-ec
+metric_id: cp-harmony-ec
+backend_only: false
+facets:
+  - groups:
+      - Event
+    name: Event Name
+    path: evt.name
+    source: log
+  - groups:
+      - User
+    name: User Email
+    path: usr.email
+    source: log
+  - groups:
+      - Web Access
+    name: Client IP
+    path: network.client.ip
+    source: log
+  - description: ""
+    facetType: list
+    groups:
+      - Checkpoint Harmony Email and Collaboration
+    name: Entity Sub Type
+    path: event.security_event.entity_info.entity_sub_type
+    source: log
+    type: string
+pipeline:
+  type: pipeline
+  name: Checkpoint Harmony Email and Collaboration
+  enabled: true
+  filter:
+    query: source:cp-harmony-ec
+  processors:
+    - type: attribute-remapper
+      name: "Remapper : Map `event.security_event.entity_info.entity_sub_type` to
+        `evt.name`"
+      enabled: true
+      sources:
+        - event.security_event.entity_info.entity_sub_type
+      sourceType: attribute
+      target: evt.name
+      targetType: attribute
+      preserveSource: true
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: " Remapper : Map `saas_actor_id` to `usr.email`"
+      enabled: true
+      sources:
+        - event.entity.saas_info.saas_actor_id
+      sourceType: attribute
+      target: usr.email
+      targetType: attribute
+      preserveSource: true
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: " Remapper : Map `sender_server_ip` to `network.client.ip`"
+      enabled: true
+      sources:
+        - event.entity.entity_payload.sender_server_ip
+      sourceType: attribute
+      target: network.client.ip
+      targetType: attribute
+      preserveSource: true
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: "Remapper : Map `event.entity.time` to `timestamp`"
+      enabled: true
+      sources:
+        - event.entity.time
+      sourceType: attribute
+      target: timestamp
+      targetType: attribute
+      preserveSource: true
+      overrideOnConflict: false
+    - type: date-remapper
+      name: Define `timestamp` as the official date of the log
+      enabled: true
+      sources:
+        - timestamp