Introduction to Infinity XDR/XPR
Check Point Infinity XDR
/XPR is an Extended Detection Response (XDR) and Extended Prevention Response (XPR) tool that provides a unified view of all the security operations across onboarded products and helps you detect, respond to and prevent cyber attacks.
Infinity XDR/XPR uses Check Point ThreatCloud's Artificial Intelligence (AI) and Machine Learning (ML) to analyze security events across the products to identify security risks in your organization. If a security risk is detected, it generates an incident (alert) with an appropriate priority based on the severity and confidence level of the detection, and provides mitigation to the incident. Incidents are also fully mapped to the MITRE ATT&CK framework and also allows you to view the internal and external intelligence available for an indicator and analyze files for threats.
Benefits
-
Unified view for all the security operations across products.
-
Correlates multiple logs across products to a single security incident.
-
Early automatic detection and response to security events across your products.
-
Eliminates false positives.
-
Provides a comprehensive understanding of your organization's security posture, which allows you to take more confident and effective actions to mitigate and prevent attacks.
-
Advanced User Entity Behavioral Analytics (UEBA
) detections.
Use Case
You are subscribed to multiple products and you want a single application to prevent, detect, investigate, and respond to security attacks.
Supported Regions
Infinity XDR/XPR is supported only for the Infinity Portal tenants (accounts) residing in these regions:
-
EU
-
US
-
India (Infinity AI Copilot and Infinity Playblocks are not available)
-
UAE (Infinity AI Copilot and Infinity Playblocks are not available)
Supported Products
Infinity XDR/XPR's integration with specific products involves the following components:
-
Log integration - Required for all integrations for processing logs. Log integration can be either through Syslog where logs are pushed to Infinity XDR/XPR or through API where logs are pulled over the interface.
-
Response integration - Required for issuing responses (commands) to the integrated product. Responses are always issued over API.
-
IOC Management Support - Interface to set Indicators Of Compromise (IOCs) on the integrated product.
The table below shows the supported products, their log integration types, and whether they support response integration and IOC Management.
|
Product Family |
Product Name |
Log Integration |
Response Integration |
IOC Management Support |
|---|---|---|---|---|
|
Check Point |
Quantum Security Gateway
|
Check Point cloud |
Supported |
Supported |
|
CloudGuard Network |
Check Point cloud |
Supported |
Supported |
|
|
Harmony Endpoint (EPMaaS) |
Check Point cloud |
Supported |
Supported |
|
|
Harmony Email & Collaboration |
Check Point cloud |
Not supported |
Supported |
|
|
|
Harmony Mobile |
Check Point cloud |
Not supported |
Can be enabled upon user request |
|
Microsoft |
Microsoft 365 Defender for Endpoint |
API |
Supported |
Supported |
|
|
Microsoft Entra ID |
Infinity Identity Providers Integration |
Supported |
Not Supported |
|
Fortinet |
FortiGate Next Generation Firewall |
Syslog |
Not supported |
Supported |
|
CrowdStrike |
Falcon |
API |
Supported |
Supported |
|
SentinelOne |
Singularity Endpoint |
Syslog |
Supported |
Supported |
|
Palo Alto Network |
Palo Alto Networks Next Generation Firewall |
Syslog |
Not supported |
Supported |
|
Trend Micro |
Trend Vision One |
API |
Supported |
Supported |
|
Cisco |
Cisco Firepower |
Syslog |
Not supported |
Supported |
|
Okta |
Okta |
Infinity Identity Providers Integration |
Supported |
Not supported |
|
Identity Service* |
Identity Sources supported by the Check Point Security Gateway |
Check Point cloud |
Not supported |
Not supported |
*Tracks unusual user activities, such as repeated failed logins, logins after office hours, and so on. Infinity XDR/XPR correlates this activity to security events from other sources and generates an incident.
API Support
Infinity XDR/XPR API
You can use the Infinity XDR/XPR REST APIs to access and retrieve data from Infinity XDR/XPR.
Prerequisite
Create a new account API key for XDR XPR service in the Infinity Portal. For instructions, see Infinity Portal Administration Guide.
To access Infinity XDR/XPR API:
-
Go to Check Point API Reference.
-
Click Infinity.
-
In the Infinity XDR/XPR API widget, click Open.
Infinity Threat Hunting API
You can use the Infinity Threat Hunting GraphQL APIs to query Infinity Threat Hunting and retrieve information about events reported by your devices.
To access Infinity Threat Hunting API:
-
Go to Check Point API Reference.
-
Click Infinity.
-
In the Infinity Threat Hunting API widget, click Open.