Incident Response as a Service (IRaaS)

Incident Response as a Service (IRaaS) is the Check Point offering in which a Check Point analyst assesses and responds to end-user reports and requests on your organization's behalf, relieving your SOC/Help Desk team of these responsibilities. This service provides uninterrupted 24/7 coverage and adheres to a concise SLA, ensuring a prompt response.

Activating IRaaS

After your purchase order is processed, Check Point automatically initiates IRaaS. Subsequently, a Check Point analyst analyzes all your end-user reports and takes preventive actions.

To purchase IRaaS, contact your Check Point representative.

Acting on End User Reports

The Check Point analysts review the email for the end-user reports, determine if they are malicious or benign, and then take actions if required:

  • Phishing emails reported by the end users

    • Malicious email - The analyst approves the user report, and the reported email is removed from the user's mailbox.

      To remediate the entire campaign, similar emails are also removed from other users' mailboxes. For more information, see Automatically Quarantining Entire Phishing Campaigns.

    • Benign emails - The analyst rejects the user report, and the email remains in the user's mailbox.

    • Inconclusive - If the analyst cannot determine if the email is malicious or benign, the user report will be approved and the email will be treated as malicious.

  • Quarantined email restore requests by the end users

    • Malicious email - The analyst rejects the request, and the email remains in quarantine.

    • Benign emails - The analyst approves the request, and the email is restored to the user's mailbox.

    • Inconclusive - If the analyst cannot determine if the email is malicious or benign, the user request will be approved and the email will be restored to the user's mailbox.

Automatically Quarantining Entire Phishing Campaigns

When the Check Point analyst approves a user reported phishing email, Harmony Email & Collaboration detects all the emails in the phishing campaign and quarantines them.

Harmony Email & Collaboration considers an email as part of a phishing campaign when all these characteristics of the email are identical to the reported email.

  • Subject

  • From address

  • Reply-to address

  • SPF result

  • Location in the email thread - If the email has multiple responses between the sender and the recipient, then the serial number of the response must be identical.

    For example, consider an employee of a protected organization received an email (number 1), replied to it (number 2), and then received another response (number 3) from the sender. Now, if the employee reported this response (serial number 3) as phishing, then only other emails that are 3rd in the thread gets quarantined.

Feedback to End Users

The Check Point analysts add a justification for every decision they make. The administrators can configure Harmony Email & Collaboration to send email notifications containing the justification for rejected quarantine restore requests and approved or rejected phishing reports.

To configure Harmony Email & Collaboration to send end-user notifications, see Sending Email Notifications to End Users.

Feedback to Administrators

After activating Incident Response as a Service (IRaaS), the administrators receive a daily email containing a summary of all the reports managed by the Check Point analysts.

The report consists of two sections: one for requests to release emails from quarantine and another for phishing emails reported by the user. These sections show various analyzed emails, along with the analyst's justification.

Finding Reports Handled by Check Point Analysts

To view the emails the Check Point analysts managed, go to User Interaction and access Restore Requests or User Reported Phishing. You'll find:

  • The Action by column with the value Check Point analyst are the emails the Check Point analysts handled.

  • The Action Justification column shows the analyst's reason for the action (approve/decline).

From the Events page, you can view the user-reported phishing events. To filter all events resolved by Check Point analysts:

  1. Go to Events.

  2. Apply the filter Check Point analyst for the Remediated by field.

After opening the security event of an email that was handled by a Check Point analyst, the Email Profile card shows the user comment, action taken and additional details.

Handling Issues with IRaaS

For any issue with IRaaS, contact Check Point Support.