Jump to main content
Revision History
This topic lists the revision history entries, including additions and updates made over time.
Introduction to Playblocks
This topic introduces the automated response capabilities of PlayBlocks and its integration with collaborative tools. It provides an overview of how PlayBlocks helps protect organizations from cyber attacks.
Benefits
This topic describes key benefits that improve automation, operational integration, and administrative actions for incident handling. It highlights efficiencies and streamlined communication across collaborative platforms.
Use Case
This topic describes a scenario where automated incident response is needed across multiple security products. It outlines desired preventive actions and communication flows.
Supported Products
This topic lists the products that can be used with PlayBlocks and their supported environments. It includes both on-premises and cloud-based product options.
How it Works
This topic describes how the automation process operates from detection through execution and administrator review. It outlines each step performed by the system and the administrator.
Getting Started
This topic describes the initial steps required to begin working with PlayBlocks. It provides links to create an account, access the portal, license the product, and onboard services.
Creating an Account in the Check Point Portal
This topic provides an overview of the Check Point Portal and points to additional documentation for creating an account.
Accessing the Playblocks Administrator Portal
This task explains how to access the Playblocks Administrator Portal through the Check Point Portal. Follow the steps to sign in and open the Playblocks interface.
Licensing the Product
This topic explains how to obtain, purchase, and view license information for the product. It also describes where to manage contract details in the Check Point Portal.
On-boarding Products
This topic lists products and describes their respective on‑boarding processes. It summarizes how different product types are added or enabled.
On-boarding the On-premises Check Point Security Management Server
This topic describes how to onboard an on‑premises system to PlayBlocks. It provides step-by-step instructions to complete the onboarding workflow.
How to create a workflow to send Microsoft Teams notifications for actions taken by Playblocks
This topic provides a video tutorial showing how to create a workflow that sends Microsoft Teams notifications for actions taken by Playblocks. It summarizes the configuration process and connector setup.
How to configure ServiceNow Ticketing connector
This topic explains how to configure the ServiceNow Ticketing connector in Playblocks. It provides the required steps and prerequisites for creating and preparing a ServiceNow account.
How to configure Jira Ticketing Connector
This topic describes how to configure the Jira Ticketing Connector in Playblocks. It provides the required steps to prepare Jira and enter configuration details.
Overview
This topic describes the Overview page, which displays key information and statistics about Playblocks. It explains how to access the Overview page and view its data.
Automations
This topic describes the Automations page and its interface elements. It provides details about automation categories, views, filtering options, and automation card components.
Automation Parameters and Flowchart
This topic describes the Automation Parameters and Flowchart page and outlines the items displayed in the interface. It also provides steps to access the automation details.
Predefined Automations
This topic lists predefined automations available in the system. It provides links to automation actions triggered by various security detections and events.
Block attackers upon IPS detection of popular attacks
This topic describes automation that blocks attackers based on IPS-detected popular attacks and outlines supported products, parameters, triggers, and flow details.
Block common scanner identified by IPS
This topic describes automation that blocks scanners detected by the IPS blade with high confidence and outlines its parameters, trigger, and flow.
Block attacking IP with malicious reputation identified by IPS
This topic describes the automation that blocks attackers flagged as malicious by IP reputation services and triggered by IPS-detected attacks. It also lists supported products, parameters, triggers, and workflow details.
Block attacking IP with malicious reputation identified by WAF Application Security
This topic describes the automation that blocks attacking IP addresses identified with malicious reputation and outlines supported products, parameters, trigger details, and flow.
Quarantine compromised Endpoint Security device (enforced by Firewall)
This topic describes settings and behavior for quarantining compromised Endpoint Security devices enforced by a Check Point Firewall. It includes supported products, parameters, trigger details, and flow information.
Quarantine potentially infected Endpoint Security device (enforced by Firewall)
This topic describes quarantining potentially infected Endpoint Security devices and provides details about supported products, parameters, triggers, and the automation flow. It explains configuration options and associated behaviors.
Notify on Firewall Traffic Blocked by Check Point SASE
This topic describes an automation that sends a notification when firewall traffic is blocked by Check Point SASE. It outlines supported product details, parameters, triggers, and flow.
Notify on URL filtering blocked by Check Point SASE
This topic describes an automation that sends notifications when standard risk URL filtering events are blocked by Check Point SASE and explains its parameters and trigger conditions.
Notify on URL Reputation Identification by Check Point SASE
This topic describes the automation that sends notifications when a URL reputation is detected by Check Point SASE and outlines its parameters, trigger conditions, and workflow.
Notify on Tunnel Up by SASE
This topic describes an automation that notifies when a SASE tunnel is detected as up. It explains supported products, parameters, trigger conditions, and flow.
Notify on Tunnel Down by Check Point SASE
This topic describes the automation that sends notifications when a Check Point SASE tunnel is detected as down and outlines its parameters, trigger, and flow.
Notify on Malicious File Detection by Check Point SASE
This topic describes an automation that sends notifications when a malicious file is detected by Check Point SASE Threat Prevention. It includes supported product details, configurable parameters, trigger conditions, and the automation flow.
Block malicious file indicator identified by Threat Extraction Endpoint Security
This topic describes an automation that adds a malicious file indicator identified by Threat Extraction Endpoint Security to an IOC feed to enhance threat intelligence and response.
Block malicious file indicator identified by Threat Emulation Endpoint Security
This topic describes the automation that adds a malicious file indicator identified by Threat Emulation Endpoint Security to an IOC feed for enhanced threat intelligence and response.
Block malicious file indicator identified by Anti-Bot Endpoint Security
This topic describes an automation that adds malicious file indicators identified by Anti-Bot Endpoint Security to an IOC feed to enhance threat intelligence and security response. It outlines supported products, parameters, trigger conditions, and flow.
Block malicious URL indicator identified by Anti-Bot Endpoint Security
This topic describes an automation that blocks malicious URL indicators identified by Anti-Bot Endpoint Security by adding them to an IOC feed to enhance threat intelligence and response.
Block malicious IOC identified by SASE
This topic describes an automation that adds a malicious URL identified by SASE as an indicator to an IOC feed. It updates threat intelligence to enhance security response.
Block malicious indicator identified by Anti-Bot
This topic describes an automation that adds a malicious URL identified by Anti-Bot to an IOC feed to enhance threat intelligence and security response.
Block malicious indicator identified by Anti-Virus
This topic describes how the automation blocks a malicious URL identified by Anti-Virus by adding it as an indicator to an IOC feed. It summarizes supported products, parameters, trigger conditions, and the automation flow.
Block malicious indicator identified by Zero Phishing Endpoint Security
This topic describes the automation that adds a malicious URL identified by Zero Phishing Endpoint Security to an IOC feed. It updates threat intelligence and enhances the security response.
Block malicious indicator identified by Email Security
This topic describes an automation that adds a malicious URL identified by the Email Security blade as an indicator to an IOC feed. It helps update threat intelligence and enhance security response.
Block malicious indicator identified by Zero Phishing
This topic describes an automation that blocks a malicious URL identified by Zero Phishing by adding it as an indicator. It updates threat intelligence to enhance security response.
Isolate compromised Endpoint Security device (enforced by Endpoint)
This topic describes the automation that isolates compromised Endpoint Security devices and details its supported product, parameters, trigger, and workflow.
Isolate potentially Infected Endpoint Security device (enforced by Endpoint)
This topic describes the automation that isolates potentially infected Endpoint Security devices and lists its parameters, trigger conditions, and flow. It explains how the automation helps prevent threats from spreading inside an organization.
Isolate potentially infected SentinelOne device (enforced by Endpoint)
This topic describes automation settings for isolating SentinelOne devices with high‑severity infections and details supported products, parameters, trigger conditions, and flow.
Isolate potentially infected CrowdStrike device (enforced by Endpoint)
This topic describes how the automation isolates CrowdStrike devices with high severity infections and lists its parameters, triggers, and operational flow.
Quarantine potentially infected SentinelOne device (enforced by Firewall)
This topic describes quarantining SentinelOne devices with high-severity infections and lists supported products, parameters, triggers, and flow. It explains how automation settings control quarantine behavior.
AI Agent - Management health report
This topic describes the AI-based automation that analyzes CPM Doctor reports and outlines supported products, parameters, triggers, and flow. It provides details for configuring ticketing options and scheduling.
Isolate potentially infected Microsoft Defender device (enforced by Endpoint)
This topic describes the automation that isolates potentially infected Microsoft Defender devices and outlines supported products, parameters, trigger conditions, and flow information.
Quarantine potentially infected Microsoft Defender device (enforced by Firewall)
This topic describes how to quarantine potentially infected Microsoft Defender devices when enforcement is applied by the firewall. It includes supported products, parameters, trigger details, and automation flow.
Credentials leakage detected by External Risk Management triggering reset password
This topic describes the automation that resets passwords when credentials leakage is detected by External Risk Management. It also lists supported products, parameters, trigger conditions, and the flow diagram.
Check Point Firewall Cloud Log Ingestion Health Monitor
Describes the health monitor that evaluates cloud log ingestion status for Check Point Firewall Management Servers and notifies administrators about failures or successful ingestion events. Includes supported products, parameters, triggers, and the process flow.
Repeated Remote Access login failures using password-only
This topic describes automation behavior for repeated Remote Access login failures using password-only authentication and the configurable parameters that control it.
Repeated Remote Access login to expired accounts
This topic describes notifications and blocking behavior for repeated Remote Access login attempts to expired accounts. It also lists supported products, parameters, trigger conditions, and the automation flow.
Remote Access user login using password-only Authentication
This topic describes automation notifications triggered by Remote Access user logins that use password-only authentication. It outlines supported products, parameters, and the event flow.
Block DDoS attack detected by DDoS Protector
This topic describes the automated blocking of attackers detected by DDoS Protector and outlines supported products, parameters, trigger conditions, and flow information. It includes details about configuration options and automation behavior.
Quarantine potentially infected CrowdStrike device (enforced by Firewall)
This topic describes automation behavior that quarantines devices identified by CrowdStrike as potentially infected. It also details supported products, parameters, trigger conditions, and the process flow.
De-isolate potentially clean Microsoft Defender machine
This topic describes the automation that removes isolation from a potentially clean Microsoft Defender machine upon administrator approval. It outlines supported products, parameters, trigger conditions, and flow details.
Notify on Failed GAIA Portal Login
This topic describes an automation that notifies when an administrator login to the GAIA Portal fails. It includes supported products, trigger conditions, and a flow diagram.
Notify on Expert Shell Login
This topic describes the notification generated when an Expert Shell login occurs on Gaia or Embedded devices and lists supported product versions, parameters, triggers, and flow.
Notify on Run Script execution
This topic describes the notification generated when scripts are executed on a Gaia device. It outlines the included notification details and related flow information.
Notify on failure of Policy Installation on Check Point Firewall
This topic describes notification behavior when a policy installation on Check Point Firewall fails. It outlines supported products, trigger conditions, and the automation flow.
Notify on degradation in Check Point Firewall Compliance status
This topic describes automated notifications triggered by degradation in Check Point Firewall Compliance status and configurable parameters for reporting and ticket creation.
Notify on successful Policy Installation on Check Point Firewall
This topic describes automated notifications triggered upon successful policy installation on Check Point Firewall. It outlines supported products, trigger conditions, and flow information.
Notify on changes in administrators
This topic describes an automation that notifies about changes in administrators and their permissions in the management server. It explains supported products, parameters, trigger conditions, and the automation flow.
Alert on MTA email bypass
This topic describes alerts generated when MTA email bypass is detected and the parameter controlling repeated notifications. It also provides product support information, trigger details, and flow visualization.
Notify on Management validations
This topic describes notifications for validation errors or warnings on Management and outlines parameters, triggers, and flow.
Notify on Management High Availability Change-over
This topic describes automated notifications triggered by a change-over event in the management high availability environment. It outlines supported products, parameters, trigger conditions, and the automation flow.
Notify on repeated login failures to Management
This topic describes the automated notification for repeated login failures to Management and the parameters that control its behavior.
Notify on high rate of blocked connections
This topic describes how the automation notifies when a high number of blocked connections occur from the same origin machine. It also lists the parameters and trigger conditions for this notification.
Notify on failure of installation blade updates on Check Point Firewalls
This topic describes notifications generated when blade update installations fail on Check Point Firewalls. It includes supported products, parameters, trigger conditions, and the automation flow.
Notify on successful installation of blade updates on Check Point Firewalls
This topic describes automation that notifies on successful installation of blade updates on Check Point Firewalls and provides details about related parameters and triggers. It also includes product support information and a flow diagram.
Alert on licenses expiration on Check Point Firewall device
This topic describes automation behavior for notifying and opening tickets when licenses on Check Point Firewall devices are about to expire. It also lists the supported product, parameters, trigger, and flow of the automation.
Alert on VPN certificates expiration on Check Point Firewall
This topic describes how automation alerts when VPN certificates expire on Check Point Firewalls and outlines the configurable parameters for expiration monitoring.
Alert if VPN Tunnel is down
This topic describes an automation that sends an alert when a permanent VPN tunnel goes down. It explains supported products, configuration parameters, trigger conditions, and flow behavior.
Alert if no communication with Check Point Firewall
This topic describes the alert generated when Check Point Firewall Management cannot communicate with one or more Check Point Firewalls. It lists supported products, parameters, trigger conditions, and the automation flow.
Notify on non-compliant devices blocked by Identity and Trust
This topic describes an automation that sends notifications when non-compliant devices are blocked by the identity and trust system. It outlines supported products, triggers, and the flow.
Block external IP
This topic describes the automation that blocks incoming access from external IP addresses and details supported products, parameters, triggers, and flow information.
Isolate endpoint device
This topic describes isolating an endpoint device through automated actions. It includes supported products, parameters, trigger details, and a flow diagram.
Quarantine internal IP
This topic describes how internal devices are quarantined by blocking their outgoing access across the organization. It explains the automation behavior applied on the security gateway.
Supported Product
This topic lists the supported product details. It includes product keywords referencing Check Point Quantum family components.
Parameters
This topic describes parameters related to IP blocking, notifications, and quarantine handling. It outlines configuration options for setting durations, messages, profiles, and automated actions.
Trigger
Describes the trigger condition involving matching a quarantine IP and how to view an example log entry.
Flow
This topic provides a visual representation of the flow using the provided diagram. It illustrates the process as depicted in the referenced image.
Enforce Policy on newly discovered IoT Zone
This topic describes the automation that enforces best practice policy on a newly discovered IoT zone. It outlines supported products, trigger conditions, and the automation flow.
Device is at risk IoT
This topic describes notifications generated when an IoT device is at risk and the available administrative actions. It also outlines supported products, parameters, triggers, and flow information.
Notify on Endpoint Security client uninstall password change
This topic describes automation that notifies when the Endpoint Security client uninstall password changes. It includes supported product details, parameters, trigger conditions, and flow information.
Notify on bulk uninstallation of Endpoint Security clients
This topic describes automation that notifies when multiple Endpoint Security clients are uninstalled within a defined time period. It also outlines supported products, parameters, trigger conditions, and flow information.
Notify on repeated login failures to user Windows device
This topic describes an automation that alerts on repeated login failures to a user’s Windows device. It provides information about failure counting and details included in the notification.
Supported Product
This topic describes the supported product referenced in the content. It provides a brief indication of the applicable product environment.
Parameters
This topic describes configurable parameters for handling repeated failed login attempts. It includes options for thresholds, time duration, and user-based counting.
Trigger
This topic describes the trigger conditions related to repeated failed login attempts. It also directs users to an example log entry.
Flow
This topic shows a flow diagram related to repeated login failure notifications for a Windows device. It provides a visual overview of the process.
Reset User Password in Identity Provider
This topic describes how the automation resets a user password in the identity provider linked to the account. It outlines supported products, parameters, triggers, and the automation flow.
Delete file on Endpoint Security device
This topic describes the automation that deletes a file on a Endpoint Security device and outlines its parameters, triggers, and workflow.
Terminate process on Endpoint Security device
This topic describes the automation that terminates a process on a Endpoint Security device.
Parameters
This topic describes parameters available for configuring automation behavior. It provides details for each option and its intended use.
Trigger
This topic describes the inputs required for triggering a terminate process action and presents the flow of the operation. It outlines supported target types and the overall process.
Scan Endpoint Security Device
This topic describes scanning a Endpoint Security device for malware. It provides information about supported product, parameters, trigger, and flow.
Parameters
This topic describes the parameters available for configuring a scan. It provides explanations for each option you can set.
Trigger
This topic describes the trigger input and the supported target types. It also provides a link to view an example log.
Flow
IOC Management - New indicator
This topic describes the settings and parameters used to add a new indicator to an IOC feed. It also outlines the trigger behavior and provides a flow diagram.
IOC Management - Delete indicator
This topic describes how an automation deletes an existing indicator from an IOC feed and lists parameters, triggers, and flow information.
Stop and quarantine file via Microsoft Defender
This topic describes how the automation stops and quarantines a file on a Microsoft Defender machine and outlines the required parameters, trigger details, and flow.
Scan machine via Microsoft Defender
This topic describes how the automation scans a machine using Microsoft Defender and details supported products, parameters, triggers, and flow.
Isolate machine via Microsoft Defender (by XDR)
This topic describes the automation used to isolate a machine protected by Microsoft Defender. It outlines supported products, parameters, trigger conditions, and the automation flow.
Release machine from isolation via Microsoft Defender (by XDR)
This topic describes an automation that releases a Microsoft Defender protected machine from isolation when triggered by XDR. It explains supported products, parameters, trigger behavior, and the automation flow.
Stop and quarantine file via Microsoft Defender (by XDR)
This topic describes an automation that stops and quarantines a file on a machine protected by Microsoft Defender using XDR. It outlines supported products, parameters, trigger, and automation flow.
Handle SD-WAN Link Swap ISP Down
This topic describes the automation behavior when an SD-WAN link swap occurs due to an ISP outage and a critical ticket is generated for follow-up. It also summarizes supported products, parameters, trigger conditions, and workflow.
Open ticket
This topic describes how an automation creates a ticket in an enabled ticketing system based on a provided subject and description. It also lists supported products, parameters, trigger information, and flow details.
Close ticket
This topic describes the automation process that closes a ticket using a ticket number, close state, and close description. It also outlines supported products, parameters, triggers, and the automation flow.
Get ticket
This topic describes how the automation retrieves a ticket number and returns all available information about the ticket. It also lists supported products, parameters, triggers, and shows the process flow.
Open ticket and notify
This topic describes how the automation opens a ticket and sends notifications when an event occurs. It also lists the configurable parameters and trigger behavior.
Spark Management event
This topic describes the automation used by Spark Management to handle detected events and shows the associated flow.
Alert on ransomware attack detected by Endpoint Security
This topic describes an automation that alerts when a ransomware attack is detected and outlines supported products, parameters, triggers, and workflow.
Alert on Generative AI Risky Session
This topic describes notifications generated when a Generative AI risky session is detected and outlines the parameters, trigger conditions, and flow.
Alert on a phishing attempt detected by Endpoint Security
This topic describes the alert generated when a phishing attempt is detected by Endpoint Security and lists its configurable parameters and trigger details.
Alert on malicious file detected by Endpoint Security
This topic describes the alert generated when a malicious file is detected by Endpoint Security and outlines its parameters, trigger, and flow. It provides information for configuring thresholds and notification settings.
Alert on access to malicious site detected by Endpoint Security
This topic describes the alert triggered when access to a malicious site is detected by Endpoint Security and outlines the available automation parameters. It also provides information about the trigger and flow of the automation.
Alert on password reuse attempt detected by Endpoint Security
This topic describes the alert triggered when a password reuse attempt is detected and explains the parameters and flow of the automation. It includes supported product information, trigger conditions, and configuration options.
Alert on exploit attempt detected by Endpoint Security
This topic describes alert behavior when an exploit attempt is detected and details the parameters, trigger conditions, and flow for the automation. It provides configuration information for thresholds, severity, and notification settings.
Alert on the outdated Endpoint Security Static Analysis capability
This topic describes the alert generated when the Endpoint Security Static Analysis capability becomes outdated. It outlines the trigger, supported product, and flow of this automation.
Alert on the outdated Endpoint Security Offline Reputation capability
This topic describes an automation that notifies when the Endpoint Security Offline Reputation capability is outdated. It provides information about the supported product, trigger conditions, and flow.
Alert on outdated Endpoint Security Behavioral Guard capability
This topic describes an automation alert that notifies when the Endpoint Security Behavioral Guard capability becomes outdated. It provides information about the trigger and flow of the alert.
Alert on disconnected Endpoint Security clients
This topic describes the automation that notifies when a Endpoint Security client becomes disconnected. It outlines the supported product, parameters, trigger, and flow.
Alert on Endpoint Security Compliance warnings
This topic describes how the automation notifies users when Endpoint Security compliance warnings are triggered. It also provides information about supported products, parameters, triggers, and flow.
Alert on device restrictions by Endpoint Security
This topic describes notifications generated when device restrictions are initiated by the Endpoint Security compliance capability. It outlines supported products, parameters, triggers, and the process flow.
Alert on outdated Endpoint Security Anti-Malware
This topic describes the alert generated when the Endpoint Security Anti-Malware capability is outdated. It also lists supported products, parameters, triggers, and flow information.
Alert if the device is not scanned by the Endpoint Security Anti-Malware capability
This topic describes an automation that alerts when a device has not been fully scanned by the Endpoint Security Anti-Malware capability. It outlines supported products, trigger conditions, and the flow of the automation.
Alert on Endpoint Security Anti-Malware license expiration
This topic describes the alert generated when the Endpoint Security Anti-Malware license expires and outlines its trigger and flow.
Alert on Endpoint Security deployment failure
This topic describes the alert generated when a Endpoint Security Client deployment fails. It also outlines the supported product, trigger conditions, and flow overview.
Alert if Endpoint Security client capabilities stop running
This topic explains the alert that notifies when one or more Endpoint Security client capabilities stop running or fail to report their status.
Add malicious file indicator Identified by CrowdStrike to IOC feed
This topic describes an automation that adds SHA256 hashes of malicious files identified by CrowdStrike to an IOC feed. It helps enhance threat intelligence and security response.
Add malicious file indicator Identified by SentinelOne to IOC feed
This topic describes an automation that adds SHA1 hashes of malicious files flagged by SentinelOne to an IOC feed. It updates threat intelligence and can help prevent malicious files from running on devices.
Add malicious file indicator Identified by Microsoft Defender to IOC feed
This topic describes an automation that adds SHA1 hashes of malicious files detected by Microsoft Defender into an IOC feed. It also adds the source URL to enhance threat intelligence and security response.
Notify on Events & AIOps alert
This topic describes the automation that notifies when Events & AIOps alerts are detected. It outlines the trigger and shows the flow of the notification process.
Configuring the Automation Parameters
This topic describes how to configure automation parameters in Playblocks and how to reset them to default values.
Running the Automation
This topic describes how to manually run an automation for evaluation and verification purposes. It provides step-by-step instructions for accessing, configuring, and executing an automation.
Enabling the Automation
This topic describes how to enable an automation in Playblocks. Automations are enabled by default but can be manually activated.
Approving, Rejecting or Reverting an Automation Execution
This task explains how to approve, reject, or revert an automation execution through communication channels or the Pending Actions page.
Customization in Playblocks
Playblocks provides flexible customization options to tailor automations according to your organization's needs.
Creating Automation from Blank
Creating an automation from blank allows you to build fully customized flows from scratch and tailor every step to your specific use case.
Log Trigger
Configure a Log Trigger to monitor logs, define conditions, and create example outputs for automation workflows.
Schedule Trigger
Configure a schedule trigger to run automation at recurring intervals. The task explains how to select the repetition frequency and create the trigger.
Managing Trigger
Learn how to manage a trigger by adding notifications, enrichments, conditions, or actions.
Notifications
Configure notification actions including Notify, Ask, and Open Ticket options. This task explains how to create and customize notification messages and ticket actions.
Alert Steps
Alert steps let an automation drive an incident through its full on-call lifecycle in PagerDuty and other alerting platforms behind the same vendor-neutral steps.
Trigger Alert
The Trigger Alert step opens a new incident in PagerDuty. If an open incident with the same Alert ID already exists, PagerDuty returns the existing incident and does not create a duplicate.
Get Alert
The Get Alert step reads the current state of an existing incident in PagerDuty.
Acknowledge Alert
The Acknowledge Alert step pauses escalation on an open incident in PagerDuty.
Add Note to Alert
The Add Note to Alert step posts a free-text note to an existing incident in PagerDuty.
Resolve Alert
The Resolve Alert step closes an incident in PagerDuty.
Enrichments
Use enrichment steps to query the Reputation Service for IP addresses, URLs, or file hashes from previous step outputs. The enrichments provide threat intelligence data about the selected value.
Conditions
Use conditions to create branches in the automation flow based on logical evaluations. This task explains how to configure condition expressions and operations.
Actions
Action steps perform operational tasks such as running automations, managing indicators, and sending external API requests.
Run Automation
Run an automation action and configure automation parameters and inputs for supported automation types.
Add to List
Use the Add to List procedure to add IPs, URLs, domains, or hashes to a list with optional conditions and duration settings.
Create IoC Management Indicators
Create IoC Management indicators by specifying indicator values and expiration settings in the Create IoC Management Indicators window.
API Request
Configure an API Request action in an automation and define the example output structure for API responses.
AI Request
Use the AI Request step to send a prompt to a connected AI provider and use the model's response in subsequent steps.
Isolate Endpoint Device
Configure and create an isolation action for an endpoint device. Specify the endpoint product, device details, isolation duration, and reason for isolation.
Scan Endpoint Security Device
Scan an Endpoint Security device by configuring target identification, scan options, and scheduling parameters.
Terminate Process on Endpoint Security Device
Terminate a process on an Endpoint Security device by configuring target details and action settings.
Delete File on Endpoint Security Device
Delete a file on an Endpoint Security device by configuring the target device and file path settings. This task explains how to create the delete file action.
Exporting/Importing Automation
You can export and import an automation in JSON format. This task explains how to export an automation and import an automation file.
Cloning Existing Automation
You can clone an existing automation for editing and customization. This task explains how to clone an automation from the card view and table view.
Automation Capabilities
This topic describes the different automation capability types, their use cases, abilities, and editing restrictions.
Replace Trigger
Replace Trigger allows you to change the current trigger type in your automation to a different one. This topic explains how to replace a trigger, configure the new trigger, and resolve validation errors.
Adding a Step to the Middle of an Automation
You can add new steps between existing steps in an automation to extend the flow without creating a new automation. When you add a Condition or Ask step, you must specify how the automation continues to the next step.
Webhooks
This topic describes how webhooks enable third-party systems to trigger automations. It outlines common uses for out-of-the-box, custom, and cloned automations.
Triggering an Out-of-the-Box Automation Using Webhooks
This task explains how to trigger an automation using a webhook. It outlines the required steps to configure and create a webhook.
Triggering a Custom Automation Using Webhooks
This task describes how to trigger a custom automation using a webhook and configure its parameters. It guides users through adding a webhook trigger and defining the example output.
Triggering a Cloned Automation Using Webhooks
This task describes how to trigger a cloned automation using a webhook. It guides you through replacing the trigger and configuring webhook parameters.
Creating a Webhook
This topic describes how to create a webhook, configure its URL and expiration date, and optionally apply authentication. It also provides guidance on managing exposed or expired webhook URLs.
Webhook Parameters - Mapping Webhook Payload Fields
This topic explains how to map incoming webhook payload fields to the expected structure using Webhook Parameters. It describes scenarios where field names or formats differ from the Example Output.
Using a Webhook
This topic describes how to use a webhook after it has been created. It provides step-by-step instructions for configuration and usage.
Creating an Authentication
This task describes how to create a new authentication. It guides users through selecting authentication types and configuring related options.
Supported Authentication Methods
This topic lists supported authentication methods for webhook triggers and API requests. It describes available basic, custom, and token-based authentication options.
Monitor
This topic describes the Monitor page, which displays statistics and visual widgets showing automation activity and prevention data. It summarizes the available monitoring views and their functions.
Executions
This topic describes the Executions page and how to access it. It provides an overview of the information shown for executed automations.
Pending Actions
This topic describes the Pending Actions page, which lists automation executions awaiting approval. It also explains how to access this page in Playblocks.
Approving, Rejecting or Reverting an Automation Execution
This topic describes how to approve, reject, or revert an automation execution. It provides the steps required to manage pending automation actions.
Lists
This topic describes the Lists page, which shows various types of destinations, sources, devices, and identities managed by the system. It explains the purpose of each list category.
Configuring Lists Manually
This task describes how to manually configure lists in Playblocks. It guides users through selecting list types, adding items, and managing entries.
Connectors
This topic describes connectors used in Playblocks and explains how they support automatic incident response and collaboration. It also shows how to access the Connectors page and identifies automatically connected products.
Check Point Firewall Logs
This topic describes the Check Point Firewall Logs interface and the information it displays about connected management servers and firewalls.
Check Point Firewall Enforcement
This topic describes Check Point Firewall Enforcement and the related supported configurations and objects it adds to the management system. It also outlines prerequisites for on-premises onboarding.
Identity and Trust Enforcement
This topic describes Identity and Trust Enforcement, its related network objects, and the procedures to enable and configure Check Point Firewall Enforcement. It provides step-by-step instructions for managing enforcement and automation settings.
Check Point Firewalls and management Configuration Options
This topic describes configuration options for Check Point Firewall Managements and firewall capabilities. It outlines how management connections and configuration sharing affect enforcement behavior.
Email
This topic describes how to configure an email connector for sending notifications. It guides you through defining groups, addresses, and default settings.
SMS
This topic explains how to configure an SMS connector to send incident notifications. It provides steps for adding groups, entering phone numbers, and managing defaults.
Jira Ticketing
This topic describes how to configure a Jira Ticketing connector in Playblocks. It provides step-by-step instructions for setting up access and ticket type parameters.
Slack
This topic describes how to configure a Slack connector to receive incident details and responsive actions. It guides you through adding and managing Slack channels.
Microsoft Teams
This topic describes how to configure a Microsoft Teams connector to receive notifications. It provides step-by-step instructions for adding and managing Teams channels.
ServiceNow Ticketing
This topic describes how you can receive incident details and responsive actions through ServiceNow Ticketing. It also provides prerequisite information for configuring the ServiceNow Ticketing connector.
Configure a ServiceNow Ticketing connector
This task describes how to configure the ServiceNow Ticketing connector in Playblocks. Follow the steps to enable and set up the connector.
PagerDuty Alerting
Configure the PagerDuty connector to enable automations to open, acknowledge, and resolve incidents in PagerDuty as part of an automated response.
AI Connectors
This topic describes how to connect an AI provider to Playblocks and how to use the AI Request step in custom automations.
Microsoft Defender
This topic describes how to configure a Microsoft Defender connector in Playblocks. It provides the steps required to enable and authorize the connector.
CrowdStrike
This topic describes how to connect CrowdStrike Falcon with an Playblocks account. It provides steps to enable the connector and configure required credentials.
Microsoft Entra ID
This task describes how to connect Microsoft Entra ID with your Check Point Portal account. Follow the steps to configure and enable the connector.
Reset user password permissions
This topic describes how to provide write permissions required to reset a user password in Entra ID. It guides you through assigning the appropriate role to the application.
Okta
This topic describes how to connect Okta with your Check Point Portal account. It provides the required steps and connection behavior.
SentinelOne
This topic describes the integration of playbook blocks with SentinelOne and explains how automated workflows help improve threat management. It also includes a note about required SentinelOne service user permissions.
Configure a SentinelOne connector
This task describes how to configure a SentinelOne connector in Playblocks. Follow the steps to enable the connector and provide required credentials.
IOC Enforcement
This topic describes IOC Enforcement and how it synchronizes indicators across connected security products. It explains how Playblocks IOCs are updated and distributed through the IOC Management platform.
Configure an IOC Enforcement connector
This topic describes how to configure IOC Enforcement connectors and enable integrations with supported security platforms. It provides step-by-step instructions for setup, validation, and enforcement options.
Notifications
The Notifications page provides options to manage who receives notifications and how they are delivered. It also displays legends describing available actions and views.
View notifications by Profiles
This topic describes how notifications can be viewed according to predefined profiles. It outlines the default attention profiles available in the Profiles view.
Configure a notification profile
This task explains how to configure a notification profile in Playblocks. It includes steps for selecting channels, managing recipients, and previewing notifications.
Cloning a Notification Profile
This task describes how to clone an existing notification profile. Follow the steps to duplicate a profile and prepare it for further configuration.
Deleting a Notification Profile
This task describes how to delete an existing notification profile in Playblocks. Follow the steps to remove a profile that is no longer required.
View by Automations
This topic describes how to view notifications in the Automations view. It explains the purpose of the Automations interface.
Configure a notification profile for an automation
This task describes how to configure a notification profile for an automation. It guides you through selecting automations, modifying profiles, and adjusting notification settings.
Appendix
This appendix provides links to supporting procedures for integrating various external services with Check Point Playblocks. It lists additional configuration resources for multiple platforms.
Appendix A - Creating a User with Specific Roles in ServiceNow
This task describes how to create a ServiceNow user and assign specific roles for use with Playblocks. It includes login steps, user creation, password setup, and role configuration.
Appendix B - Creating an Incoming Webhook in the Slack Channel
This task describes how to create an incoming webhook in a Slack channel. Follow the steps to configure a Slack application and obtain the webhook URL.
Appendix C - Creating Workflow for Microsoft Teams Notification
This task describes how to create a workflow for Microsoft Teams notifications using Microsoft Power Automate. Follow the steps to configure triggers and actions for Teams webhook requests.
Appendix D - Creating an API Token in Atlassian Account
This task describes how to create an API token in an Atlassian account for Jira integration with Playblocks. It includes step-by-step instructions for generating and copying the token.
Appendix E - Integrating CrowdStrike Falcon
This topic describes how to integrate Check Point Playblocks with CrowdStrike Falcon to enable automated alert handling and response actions. It outlines the steps required to configure API access in the CrowdStrike Falcon portal.
Appendix F - Creating a SentinelOne Service User
This task describes how to create a SentinelOne service user with specific role permissions. It guides you through configuring roles, permissions, and generating an API token.
Appendix G - Using Custom Automation Step Schemas
This topic describes parameter schemas for supported step types in custom automations and references the full Automations API documentation. It provides validation rules and dynamic reference details for automation steps.
Parameter References
This topic describes supported parameter reference types and how they enable dynamic retrieval of values from automation steps or parameters. It also outlines the characteristics of each reference type.
Step Categories
This topic lists the available step categories used within automation workflows. It provides quick navigation to each category type.
Triggers
This topic describes trigger types and their parameters for automation workflows. It includes log, schedule, and webhook triggers with detailed parameter schemas and examples.
Notifications
This topic describes notification-related automation steps including Ask, Notify, and Open Ticket. It provides parameter schemas, detailed descriptions, and examples.
Enrichments
This topic describes enrichment steps that gather additional information about IPs, URLs, and files. It includes parameter schemas, details, and examples for each enrichment type.
Conditions
This topic describes conditional logic steps used in automation flows and details their parameters and usage. It includes schema definitions, parameter descriptions, and example structures.
Actions
Describes actions, schemas, parameters, and examples for automation, list management, IOC creation, and running automation tasks. Provides detailed structures and valid input formats.
Common Data Types
This topic describes common structured data types used for duration values and event detail definitions. It includes specifications for TimeInterval and EventDetails formats.
Parameter Behavior and Validation Notes
Describes rules for parameter behavior, validation requirements, optional fields, string length limits, and trigger output expectations in automation flows.
Appendix H - Webhooks and Authentications
This topic introduces REST APIs related to webhooks and authentications used in Playblocks automations.
Appendix I - Creating a PagerDuty General Access Key
This appendix describes the one-time setup in PagerDuty that the PagerDuty Alerting connector requires.