This is an Azure function app that serves as a webhook forwarder. It will allow users to send notifications from Check Point CloudGuard CSPM to Microsoft Sentinel. This repo will deploy the webhook forwarder as an Azure function app.
For more information see:
Microsoft Sentinel Data Collector API
-
You must have read and write permissions on the Microsoft Sentinel workspace.
-
You must have read permissions to shared keys for the workspace.
-
Get Microsoft Sentinel Workspace ID and Primary Key
a. From Azure Portal -> Microsoft Sentinel Workspace -> Settings -> Workspace settings -> Agents management
b. Copy Workspace ID and the Primary Key
-
Launch Template
-
Fill template details
-
Obtain function app endpoint URL
-
Configure Cloudguard CSPM notification
a. Login to Check Point CloudGuard CSPM portal
b. Settings -> Notifications -> Add Notification
c. Fill in the details
d. Endpoint url - make sure to include the following at end of function URL "/api/forwarder/"
e. Select "Basic" Authentication Type
f. Input CSPM username and password from step 3 above
g. Test endpoint
h. Save notification policy
Example:
-
Assign notification policy to a security bundle
a. From CloudGuard CSPM portal
b. Posture Management -> Continous Posture -> Select bundle
c. Edit bundle notiifcation policy
d. Select notification policy and Save settings
-
From CloudGuard CSPM portal
-
Posture Management -> Continous Posture -> Select bundle
-
Select "Send all alerts"
-
Select notification policy and Send
-
From Microsoft Sentinel Workspace -> Select CloudguardCSPM_CL or user specified log_type name for CloudGuard CSPM.
Note: Microsoft Sentinel Data Collector API appends "_CL" to all ingested data fields.
-
Filter events
a. Filter by:
- rule_severity_s - rule_ruleId_s - rule_name_s - entity_region_s - entity_name_s - rule_description_s - rule_remediation_s - entity_id_sexample:
