SIEM / SOAR Integration

Harmony Email & Collaboration allows to integrate with multiple Security Information and Event Management (SIEM) platforms and Cortex XSOAR by Palo Alto Networks.

Encryption - For SIEM, unless configured otherwise, all events are forwarded over HTTPS.

Source IP Address

Harmony Email & Collaboration can be deployed in one of several geographic regions. The security events get forwarded from a unique static IP for each region.

The static IP address for different regions:

• United States - 34.192.247.192

• Europe - 54.247.106.52

• Australia - 52.63.125.59

• Canada - 35.182.23.24

• India - 13.126.227.64

• United Arab Emirates - 3.29.198.97

• United Kingdom - 13.42.125.75

Configuring SIEM Integration

To configure SIEM integration from the Infinity Portal:

1. Click Security Settings > Security Engines.

2. Click Configure for SIEM Integration.

3. Select the required Transport method and enter the relevant details.

   Supported Transport methods

   Transport Method	Required Fields
   Splunk HTTP Event Collector (HEC)	HTTP Event Collector Host / URI
   	HTTP Event Collector Token
   	(Optional) To use Indexer acknowledgment, select the checkbox and enter the Channel ID.
   	(Optional) To use Splunk Index, select the checkbox and enter the Splunk index name.
   HTTP Collector	HTTP Collector URL (HTTP/HTTPS) For example, https://myconnector.mycompany.com
   AWS S3	AWS IAM Role ARN
   	AWS S3 Bucket Name
   	AWS S3 Bucket Region
   	AWS S3 Bucket Directory Path
   	(Optional) To use External ID, select the checkbox and enter the External ID.
   AWS SQS	AWS SQS Queue URL
   Azure Log Workspace	Azure Log Workspace ID
   	Azure Log Workspace Shared Key
   TCP	TCP Host
   	TCP Port
   Google Chronicle	Customer ID - Unique identifier (UUID) corresponding to your Chronicle instance.
   	Account Region - Region where your Chronicle instance is created.
   	Credentials JSON - Google Service Account credentials. Note - If the Credentials JSON is not available, contact Google support.
   	Ingestion API - Google Chronicle Ingestion API type Unified Data Model (UDM) event Unstructured log

4. Select the required log Format.

   • JSON (Splunk HEC/CIM compatible)

   • JSON (CIM compatible)

   • JSON

   • JSON Flat (dot notation)

   • JSON (Rapid7, <8k characters)

   • JSON (Google UDM Compatible)

   • Syslog (See Forwarding Logs in Syslog Format)

   • Google Chronicle Unstructured logs

5. (Optional) If you need to add custom fields to every event forwarded from Harmony Email & Collaboration to your SIEM platform:

   1. Select the Add custom field checkbox.

   2. Enter the required Custom field name.

   3. Enter the required Custom field value.

   Note - You can add only up to five custom fields.

6. Click Save.

Note - After you configured the SIEM integration, Harmony Email & Collaboration starts sending logs. You have to configure your SIEM platform to receive Harmony Email & Collaboration logs.

Forwarding Logs in Syslog Format

• Syslog messages are RFC 5424 compliant.

• If you need to limit the syslog message size, select the Limit syslog message format checkbox, and under Limit syslog message length (bytes), enter the message limit in bytes.

  

• If you need to add authentication token to all the syslog messages, enter the token under Token (optional).

• You can configure TLS when using TCP transport. To define the certificate, contact Check Point Support.

  • Supported certificate types:

    • CA certificate:

      • Use the CA certificate for our servers to validate the remote server that forwards events.

      • Ensure the certificate includes all necessary components: Root CA, Intermediate Certificates, and Server Certificate, all in .pem format.

      • List the certificates in the following order: Server Certificate, Intermediate Certificates, Root CA.

      • The Common Name (CN) of the server certificate must match the domain or IP address specified in the SIEM configuration.

    • Client certificate:

      • Use the Client certificate when the remote server needs to validate the client (our SIEM server) for TLS.

      • The certificate must be in .pem format and include two parts: the client certificate and the unencrypted private key.

Supported Security Events for SIEM

Harmony Email & Collaboration supports to send these security events to the integrated SIEM platforms.

• Phishing

• Suspected Phishing

• User Reported Phishing

• Malware

• Suspected Malware

• Malicious URL

• Malicious URL Click

• DLP

• Anomaly

• Shadow IT

• Spam

Notes: Harmony Email & Collaboration generates logs for each one of these security events. Harmony Email & Collaboration does not add sensitive data to the DLP SIEM logs.

Forwarding Events to AWS S3

Configuring AWS S3 to Receive Harmony Email & Collaboration Logs

1. Go to AWS IAM: https://console.aws.amazon.com/iam/home#/home.

2. Create a new user.

   To create a new user:

   1. Click on Users > Add user.

      

   2. Select a user name, enable Access Type as Programmatic access and click Next: Permissions.

      

   3. Click Create Group or select the group if already created.

      

   4. Click Create policy or select the policy if already created.

      

   5. On the new tab, click JSON and copy this over.

      Copy

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:ListBucket"
            ],
            "Resource": [ 
              "arn:aws:s3:::YOUR_S3_BUCKET"
            ] 
          },
          {
            "Effect": "Allow",
            "Action": [
              "s3:GetObject", 
              "s3:GetObjectAcl", 
              "s3:PutObject"
            ], 
            "Resource": [
              "arn:aws:s3:::YOUR_S3_BUCKET/THE_LOG_FOLDER_IF_ANY/*" 
            ]
          } 
        ]
      }

   6. Click on Review Policy and select the policy you just created.

   7. Enter the required name to the policy and click Create policy.

      

   8. After the policy is created, go back to the previous tab and click Refresh.

   9. On the next screen, select the policy name you created and click Create Policy.

      

   10. Go back to the Add user screen and confirm that the group you created is selected and then click Next: Tags.

       

   11. Add the necessary Tags (in accordance with your environment directives) and click Next: Review.

   12. Confirm all the configurations and click Create user.

       

       Note - Download the CSV file or copy the Access Key and Secret access key to a safe location. This information won’t be available again.

   13. Click Close.

3. Click Roles > Create role.

4. Select Another AWS Account.

5. Insert the 12 digit number of the user created in step 2 and click Next: Permissions.

   

   Note - To find the 12 digit number, open the user on another screen.

   

6. Select the policy created and click Next: Tags.

   

7. Add the necessary Tags (in accordance with your environment directives), select a role name and click Create Role.

   

8. Search for the role you created and click on its name.

   

9. Select Trust relationships and click Edit trust relationship.

   

10. Copy the following JSON code and click Update Trust Policy.

    Copy

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::731485868276:user/checkpoint-s3-log-uploader"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "checkpoint-s3-logs"
            }
          }
        }
      ]
    }

11. Copy the Role ARN.

    

    Note - This Role ARN is used while configuring SIEM Integration in the Harmony Email & Collaboration.

12. Log in to Harmony Email & Collaboration and complete SIEM integration. For more details, see Configuring SIEM Integration.

    Note - After this integration, Harmony Email & Collaboration starts sending the logs to the AWS S3 bucket. You have to configure your SIEM platform to receive logs from the AWS S3 bucket.

Configuring AWS S3 to Send Harmony Email & Collaboration Logs to Splunk

1. Go to AWS IAM: https://console.aws.amazon.com/iam/home#/home.

   Note - To limit Harmony Email & Collaboration’s access to your AWS S3 bucket, you have to create a new user, group, policy, and role to use.

2. Create a new user.

   To create a new user:

   1. Click Users > Add User.

      

   2. Select a name, enable Programmatic access, and click Next: Permissions.

      

   3. Click Create group or select the group if already created.

      

   4. On the new tab, click JSON and copy this over.

      Copy

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:ListBucket",
              "s3:GetObject",
              "s3:ListAllMyBuckets",
              "s3:GetBucketLocation",
              "kms:Decrypt"
            ],
            "Resource": "*"
          }
        ]
      }

   5. Click Review Policy, select the policy name and click Create Policy.

      

   6. Go back to the previous tab and click Refresh.

   7. Select the policy created, give a group name and click Create group.

      

   8. Go back to the Add user screen, confirm that the group you just created is selected and click Next: Tags.

      

   9. Add the necessary Tags (in accordance with your environment directives) and click Next: Review.

   10. Confirm all the configurations and click Create user.

       

       Note - Download the CSV file or copy the Access Key and Secret access key to a safe location. This information won’t be available again.

   11. Click Close.

3. Click Roles > Create Role.

4. Select Another AWS Account.

5. Insert the 12 digit number of your account and click Next: Permissions.

   

   Note - To find the 12 digit number, open the user on another screen.

   

6. Select the policy created, and click Next: Tags.

   

7. Add the necessary Tags (in accordance with your environment directives) and click on Next: Review.

8. Select a role name and click Create Role.

   

9. Search for the role you created and click on its name.

   

10. Copy the Role ARN.

    

11. Open Splunk and install the Splunk Add-on for Amazon Web Services, if not already installed.

    

12. Open Splunk Add-on for AWS.

    

13. Click Configuration > Account > Add and enter the Key ID and Secret Key generated when the user was created and click Add.

    

14. Click IAM Role > Add and enter the Role ARN.

    

15. Click Inputs > Create New Input > Custom Data Type > Generic S3.

    

16. Select a name for the Input, the AWS Account and the Assume Role you configured above, the S3 Bucket Harmony Email & Collaboration is uploading the logs, a start datetime (ideally, a few minutes before you enabled Splunk on Harmony Email & Collaboration).

17. Under Advanced Settings, set the Polling Interval to 900 s (15 minutes) as Harmony Email & Collaboration uploads the logs every 15 minutes.

    Note - By default, Harmony Email & Collaboration uploads the logs even before the polling interval when they reach 5 MB.

18. Click Save.

    

    Now, Splunk reads the logs from the S3 bucket while Harmony Email & Collaboration uploads them to the S3 bucket.

Recommended Configuration for known SIEM Platforms

Harmony Email & Collaboration can integrate with a large number of SIEM platforms.

Note - If you need help in configuring your SIEM platform to integrate with Harmony Email & Collaboration, contact Check Point Support.

These are the recommended configuration for some of the SIEM platforms.

SIEM Platform	Transport Method	Log Format
Splunk	Splunk HTTP Event Collector (HEC) HTTP Event Collector Host / URI - Host or URI value from Splunk HEC configuration HTTP Event Collector Token - value from Splunk HEC configuration	JSON (Splunk HEC/CIM compatible)
Rapid7	AWS SQS AWS SQS Queue URL - Contact Check Point Support to get this value	JSON (Rapid7, <8k characters)
Sumo Logic	HTTP Collector HTTP Collector URL (HTTP/HTTPS) - value from Sumo Logic For example, https://myconnector.mycompany.com	JSON
Azure Log Workspace	Azure Log Workspace Azure Log Workspace ID - value from Azure configuration Azure Log Workspace Shared Key - value from Azure configuration	JSON
LogRhythm	AWS S3 For the fields required for AWS S3, see Supported Transport methods. If a new S3 Bucket is needed, you should follow specific instructions while configuring the S3 bucket. For more details, see Configuring AWS S3 to Receive Harmony Email & Collaboration Logs.	JSON
McAfee SIEM	AWS S3 For the fields required for AWS S3, see Supported Transport methods. If a new S3 Bucket is needed, you should follow specific instructions while configuring the S3 bucket. For more details, see Configuring AWS S3 to Receive Harmony Email & Collaboration Logs. To receive the logs from S3 bucket to McAfee SIEM, refer to Configuration of Amazon S3 upload feature and McAfee Documentation.	JSON
Other	Harmony Email & Collaboration can integrate with any SIEM platform. If you need help in configuring your SIEM platform to integrate with Harmony Email & Collaboration, contact Check Point Support.

Configuring Integration with Cortex XSOAR by Palo Alto Networks

Harmony Email & Collaboration allows to integrate with Cortex XSOAR to automatically trigger playbooks based on detected security events and other criteria.

For more information about the integration, see Cortex XSOAR documentation.