Checkpoint Harmony and Email Collaboration Integration

.github/CODEOWNERS

@@ -607,6 +607,11 @@ plaid/assets/logs/                                                  @DataDog/saa
 /beyondtrust_identity_security_insights/manifest.json                @DataDog/saas-integrations @DataDog/documentation
 /beyondtrust_identity_security_insights/assets/logs/                 @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
 
+/cp_harmony_ec/                                                      @DataDog/agent-integrations
+/cp_harmony_ec/*.md                                                  @DataDog/agent-integrations @DataDog/documentation
+/cp_harmony_ec/manifest.json                                         @DataDog/agent-integrations @DataDog/documentation
+/cp_harmony_ec/assets/logs/                                          @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core
+
 /klaviyo/                                                            @DataDog/saas-integrations
 /klaviyo/*.md                                                        @DataDog/saas-integrations @DataDog/documentation
 /klaviyo/manifest.json                                               @DataDog/saas-integrations @DataDog/documentation

.github/workflows/config/labeler.yml

@@ -751,6 +751,8 @@ integration/zero_networks:
 - zero_networks/**/*
 integration/zk:
 - zk/**/*
+integration/cp_harmony_ec:
+- cp_harmony_ec/**/*
 qa/skip-qa:
 - '**/__about__.py'
 - requirements-agent-release.txt

cp_harmony_ec/CHANGELOG.md

@@ -0,0 +1,4 @@
+# CHANGELOG - cp_harmony_ec
+
+<!-- towncrier release notes start -->
+

cp_harmony_ec/README.md

@@ -0,0 +1,44 @@
+# Agent Check: cp_harmony_ec
+
+
+## Overview
+
+[Checkpoint Harmony Email and Collaboration][1] provides advanced protection for email and collaboration platforms such as Microsoft 365 and Google Workspace. It analyzes email content, user behavior, and threat indicators to detect phishing attempts, malware, and data leaks, helping organizations secure sensitive information and maintain business continuity.
+
+This integration enables visibility into threat types, user targeting patterns, sender activity, and domain-level log analytics. Pre-built dashboard visualizations provide additional insights to help detect anomalies and assess security posture.
+
+## Setup
+
+1. Set up the [Datadog Forwarder][2].
+1. Configure an [AWS S3 bucket to receive logs][3].
+
+The Datadog Agent is not required for this integration.
+
+### Validation
+
+After setup, verify that logs appear in Datadog by checking the Logs Explorer.
+
+## Data Collected
+
+### Metrics
+
+The Checkpoint Harmony Email and Collaboration integration does not include any metrics.
+
+### Events
+
+The Checkpoint Harmony Email and Collaboration integration does not include any events.
+
+### Service Checks
+
+The Checkpoint Harmony Email and Collaboration integration does not include any service checks.
+
+## Troubleshooting
+
+Need help? Contact [Datadog support][5].
+
+
+[1]: https://www.checkpoint.com/harmony/email-security/
+[2]: https://docs.datadoghq.com/logs/guide/forwarder/?tab=cloudformation
+[3]: https://sc1.checkpoint.com/documents/Harmony_Email_and_Collaboration/Topics-Harmony-Email-Collaboration-Admin-Guide/Managing-Security-Events/SIEM.htm#Configuring_AWS_S3_to_Receive_Harmony_Email_&_Collaboration_Logs
+[4]: https://sc1.checkpoint.com/documents/Harmony_Email_and_Collaboration/Topics-Harmony-Email-Collaboration-Admin-Guide/Managing-Security-Events/SIEM.htm#Configuring%20SIEM%20Integration
+[5]: https://docs.datadoghq.com/help/

cp_harmony_ec/assets/configuration/spec.yaml

@@ -0,0 +1,10 @@
+name: cp_harmony_ec
+files:
+- name: cp_harmony_ec.yaml
+  options:
+  - template: init_config
+    options:
+    - template: init_config/default
+  - template: instances
+    options:
+    - template: instances/default

cp_harmony_ec/assets/dashboards/cp_harmony_ec_overview.json

@@ -0,0 +1 @@
+{"title":"Checkpoint Harmony Email & Collaboration","description":"[[suggested_dashboards]]","widgets":[{"id":8836026268833507,"definition":{"type":"image","url":"https://blog.checkpoint.com/wp-content/uploads/2023/04/harmony-e-c-logo.png","sizing":"cover","has_background":true,"has_border":true,"vertical_align":"center","horizontal_align":"center"},"layout":{"x":0,"y":0,"width":6,"height":2}},{"id":7993998898478218,"definition":{"title":"Overview","background_color":"vivid_purple","show_title":true,"type":"group","layout_type":"ordered","widgets":[{"id":3825647889435396,"definition":{"title":"Total Number Of Harmony Email Logs","title_size":"16","title_align":"left","type":"query_value","requests":[{"formulas":[{"formula":"query1"}],"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.security_event.entity_info.customer_oem:\"checkpoint\""},"indexes":["*"],"group_by":[],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar"}],"autoscale":true,"precision":2},"layout":{"x":0,"y":0,"width":3,"height":3}},{"id":7874962150014080,"definition":{"title":"Log Distribution Of Entity Sub Types","title_size":"16","title_align":"left","requests":[{"response_format":"scalar","queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.security_event.entity_info.customer_oem:\"checkpoint\""},"indexes":["*"],"group_by":[{"facet":"@event.security_event.entity_info.entity_sub_type","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"style":{"palette":"datadog16"},"formulas":[{"formula":"query1"}],"sort":{"count":10,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"type":"sunburst","legend":{"type":"automatic"}},"layout":{"x":3,"y":0,"width":3,"height":3}},{"id":6192730663112163,"definition":{"title":"Count Of Different Sub Types Of Logs Across Time Period","title_size":"16","title_align":"left","show_legend":true,"legend_layout":"horizontal","legend_columns":["avg","min","max","value","sum"],"type":"timeseries","requests":[{"formulas":[{"formula":"query1"}],"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.security_event.entity_info.entity_sub_type","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"event.security_event.entity_info.entity_sub_type"},"should_exclude_missing":true}],"compute":{"aggregation":"count","metric":"event.security_event.entity_info.entity_sub_type"},"storage":"hot"}],"response_format":"timeseries","style":{"palette":"dog_classic","line_type":"solid","line_width":"normal"},"display_type":"line"}],"yaxis":{"scale":"linear","label":"","include_zero":true,"min":"auto","max":"auto"},"markers":[]},"layout":{"x":0,"y":3,"width":6,"height":4}},{"id":6321536884737271,"definition":{"title":"Total Count Of Logs Over Time ","title_size":"16","title_align":"left","show_legend":false,"legend_layout":"auto","legend_columns":["avg","min","max","value","sum"],"type":"timeseries","requests":[{"formulas":[{"alias":"Logs","formula":"query2"}],"queries":[{"name":"query2","data_source":"logs","search":{"query":"source:s3"},"indexes":["*"],"group_by":[],"compute":{"aggregation":"count","metric":"@event.entity.entity_info.customer_oem:\"Check Point\""},"storage":"hot"}],"response_format":"timeseries","style":{"palette":"dog_classic","line_type":"solid","line_width":"normal"},"display_type":"bars"}],"custom_links":[]},"layout":{"x":0,"y":7,"width":6,"height":4}}]},"layout":{"x":6,"y":0,"width":6,"height":12}},{"id":4093866487878199,"definition":{"type":"note","content":"**Harmony Email & Collaboration** is a cloud security solution developed by **Check Point Software Technologies**. It's designed to protect organisations from advanced email-borne threats, collaboration tool exploits, and phishing attacks. This service is part of Check Point’s broader **Harmony security suite**, which focuses on securing users and access points.","background_color":"orange","font_size":"14","text_align":"left","vertical_align":"center","show_tick":true,"tick_pos":"50%","tick_edge":"top","has_padding":true},"layout":{"x":0,"y":2,"width":6,"height":2}},{"id":1456755065968274,"definition":{"title":"Harmony Email Logs","title_size":"16","title_align":"left","requests":[{"response_format":"event_list","query":{"data_source":"logs_stream","query_string":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\"","indexes":[],"storage":"hot"},"columns":[{"field":"status_line","width":"auto"},{"field":"timestamp","width":"auto"},{"field":"host","width":"auto"},{"field":"service","width":"auto"},{"field":"content","width":"compact"}]}],"type":"list_stream"},"layout":{"x":0,"y":4,"width":6,"height":4}},{"id":863995327645427,"definition":{"title":"Log Distribution Based On Verdict","title_size":"16","title_align":"left","requests":[{"response_format":"scalar","queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.entity_security_result.findings_summary.verdict","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"style":{"palette":"datadog16"},"formulas":[{"formula":"query1"}],"sort":{"count":10,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"type":"sunburst","legend":{"type":"automatic"}},"layout":{"x":0,"y":8,"width":6,"height":4}},{"id":4975462564253324,"definition":{"title":"Threat Insights","title_align":"center","background_color":"vivid_orange","show_title":true,"type":"group","layout_type":"ordered","widgets":[{"id":8931215491222340,"definition":{"type":"note","content":"The following widgets provide a detailed, actionable view of the email security landscape:\n\n-   **Volume of Events by Matched Security Tool:** Displays the number of threats detected by each integrated security tool, helping identify the most active defenses.\n\n-   **Confidence Level Trends Over Time:** Tracks the system’s confidence in detecting threats over time, highlighting any changes in detection reliability.\n\n-   **Events per Policy Rule ID:** Breaks down security events by specific policy rules, helping optimize email security policies based on threat trends.","background_color":"orange","font_size":"14","text_align":"left","vertical_align":"center","show_tick":true,"tick_pos":"50%","tick_edge":"top","has_padding":true},"layout":{"x":0,"y":0,"width":7,"height":2}},{"id":8463520283531992,"definition":{"title":"Volume Of Logs By Matched Security Tool","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.security_event.entity_payload.matched_security_tool","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":10,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":7,"y":0,"width":5,"height":3}},{"id":8270078606174810,"definition":{"title":"Logs Per Policy Rule ID","title_size":"16","title_align":"left","requests":[{"response_format":"event_list","query":{"data_source":"logs_transaction_stream","query_string":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\"","indexes":[],"group_by":[{"facet":"@event.security_event.entity_payload.policy_rule_id"}],"compute":[{"facet":"count","aggregation":"count"}],"storage":"hot"},"columns":[{"field":"group_by","width":"auto"},{"field":"timeline","width":"auto"},{"field":"max_severity","width":"auto"},{"field":"count:count","width":"auto"}]}],"type":"list_stream"},"layout":{"x":0,"y":2,"width":7,"height":4}},{"id":4217704201707174,"definition":{"title":"Confidence Level Trends Over Time","title_size":"16","title_align":"left","show_legend":false,"legend_layout":"auto","legend_columns":["avg","min","max","value","sum"],"type":"timeseries","requests":[{"formulas":[{"alias":"Confidence","formula":"query1"}],"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.security_event.entity_payload.confidence_level","limit":10,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"timeseries","style":{"palette":"dog_classic","order_by":"values","line_type":"solid","line_width":"normal"},"display_type":"line"}]},"layout":{"x":7,"y":3,"width":5,"height":3}}]},"layout":{"x":0,"y":12,"width":12,"height":7,"is_column_break":true}},{"id":8847248388408997,"definition":{"title":"User & Domain Activity","title_align":"center","background_color":"vivid_orange","show_title":true,"type":"group","layout_type":"ordered","widgets":[{"id":6732160704211971,"definition":{"type":"note","content":"The following widgets provide a detailed, actionable view of the email security landscape:\n\n-   **Top Sender Domains:** Displays the most frequent email domains sending messages to the organization, highlighting potential sources of spam or malicious content.\n\n-   **Top Sender IPs:** Identifies the top IP addresses sending emails, helping to detect suspicious or unauthorized sources.\n\n-   **Top Targeted Users:** Lists the users who receive the highest volume of suspicious or targeted emails, aiding in identifying potential internal threats.\n\n-   **Event Volume by Customer Domain:** Shows the volume of security events originating from different customer domains, helping to assess the security posture across external partnerships.","background_color":"orange","font_size":"14","text_align":"left","vertical_align":"center","show_tick":true,"tick_pos":"50%","tick_edge":"top","has_padding":true},"layout":{"x":0,"y":0,"width":6,"height":2}},{"id":2665392346033412,"definition":{"title":"Top Sender Domains","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.entity_payload.from_domain","limit":15,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":15,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":6,"y":0,"width":6,"height":3}},{"id":5002809591961022,"definition":{"title":"Top Sender IPs","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.entity_payload.sender_server_ip","limit":15,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":15,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":0,"y":2,"width":6,"height":2}},{"id":4555049744646829,"definition":{"title":"Volume By Customer Domain","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.entity_info.customer_domain","limit":15,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":15,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":6,"y":3,"width":6,"height":3}},{"id":2111249869047077,"definition":{"title":"Most Targeted Users ","title_size":"16","title_align":"left","type":"toplist","requests":[{"queries":[{"name":"query1","data_source":"logs","search":{"query":"source:s3 @event.entity.entity_info.customer_oem:\"Check Point\""},"indexes":["*"],"group_by":[{"facet":"@event.entity.saas_info.saas_actor_id","limit":15,"sort":{"aggregation":"count","order":"desc","metric":"count"},"should_exclude_missing":true}],"compute":{"aggregation":"count"},"storage":"hot"}],"response_format":"scalar","formulas":[{"formula":"query1"}],"sort":{"count":15,"order_by":[{"type":"formula","index":0,"order":"desc"}]}}],"style":{"display":{"type":"stacked","legend":"automatic"}}},"layout":{"x":0,"y":4,"width":6,"height":2}}]},"layout":{"x":0,"y":19,"width":12,"height":7}}],"template_variables":[],"layout_type":"ordered","notify_list":[],"reflow_type":"fixed"}

cp_harmony_ec/assets/logs/cp-harmony-ec.yaml

@@ -0,0 +1,80 @@
+id: cp-harmony-ec
+metric_id: cp-harmony-ec
+backend_only: false
+facets:
+  - groups:
+      - Event
+    name: Event Name
+    path: evt.name
+    source: log
+  - groups:
+      - User
+    name: User Email
+    path: usr.email
+    source: log
+  - groups:
+      - Web Access
+    name: Client IP
+    path: network.client.ip
+    source: log
+  - description: ""
+    facetType: list
+    groups:
+      - Checkpoint Harmony Email and Collaboration
+    name: Entity Sub Type
+    path: event.security_event.entity_info.entity_sub_type
+    source: log
+    type: string
+pipeline:
+  type: pipeline
+  name: Checkpoint Harmony Email and Collaboration
+  enabled: true
+  filter:
+    query: source:cp-harmony-ec
+  processors:
+    - type: attribute-remapper
+      name: "Remapper : Map `event.security_event.entity_info.entity_sub_type` to
+        `evt.name`"
+      enabled: true
+      sources:
+        - event.security_event.entity_info.entity_sub_type
+      sourceType: attribute
+      target: evt.name
+      targetType: attribute
+      preserveSource: true
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: " Remapper : Map `saas_actor_id` to `usr.email`"
+      enabled: true
+      sources:
+        - event.entity.saas_info.saas_actor_id
+      sourceType: attribute
+      target: usr.email
+      targetType: attribute
+      preserveSource: true
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: " Remapper : Map `sender_server_ip` to `network.client.ip`"
+      enabled: true
+      sources:
+        - event.entity.entity_payload.sender_server_ip
+      sourceType: attribute
+      target: network.client.ip
+      targetType: attribute
+      preserveSource: true
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: "Remapper : Map `event.entity.time` to `timestamp`"
+      enabled: true
+      sources:
+        - event.entity.time
+      sourceType: attribute
+      target: timestamp
+      targetType: attribute
+      preserveSource: true
+      overrideOnConflict: false
+    - type: date-remapper
+      name: Define `timestamp` as the official date of the log
+      enabled: true
+      sources:
+        - timestamp