Check Point CloudGuard

Check Point CloudGuard is a cloud security tool that provides protection for your cloud infrastructure. You can bring alert, alert definition, and cloud resource data from Check Point CloudGuard into Brinqa to gain a comprehensive view of your cloud security landscape, thus enhancing your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Check Point CloudGuard and how to obtain that information from Check Point CloudGuard. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Check Point CloudGuard from the Connector drop-down. If you cannot find the connector in the drop-down, make sure you have installed it first. You must provide the following information to authenticate Check Point CloudGuard with Brinqa:

• API URL: The CloudGuard API URL. The default URL is https://api.dome9.com.

• API ID and API Secret: The API ID and API secret associated with the CloudGuard account, which must have permissions to log in to the API server and return data.

Generate Check Point CloudGuard API credentials

For the Check Point CloudGuard connector to use the CloudGuard API, you must provide API credentials. To generate API credentials, follow these steps.

1. Log in to your organization's Check Point CloudGuard portal as an administrator at https://secure.dome9.com/v2/.

2. Navigate to Settings > Account > Credentials.

3. Click Create API Key.

   The API ID and API secret display. You cannot view the API secret again. Copy and save it to a secure location.

note

If you do not have permissions to generate credentials, contact your CloudGuard administrator. For additional information, see Check Point documentation.

Additional settings

The Check Point CloudGuard connector contains an additional option for specific configuration:

• Page size: The maximum number of records to get per API request. The default setting is 50. It is not recommended to go over 50.

Types of data to retrieve

The Check Point CloudGuard connector can retrieve the following types of data from the CloudGuard API:

Table 1: Data retrieved from CloudGuard

Connector Object	Required	Maps to Data Model
Alert	Yes	Alert
Alert Definition	Yes	Alert Definition
Cloud Resource	Yes	Cloud Resource

info

The Check Point CloudGuard connector does not currently support operation options for the types of data it retrieves.

For detailed steps on how to view the data retrieved from Check Point CloudGuard in the Brinqa Platform, see How to view your data.

Attribute mappings

Click the tabs below to view the mappings between the source and the Brinqa data model attributes.

Alert

Table 2: Alert attribute mappings

Source Field Name	Maps to Attribute
acknowledged	Local variable
alertType	categories, Local variable
alertWindowEndTime	Local variable
alertWindowStartTime	Local variable
bundleId	Local variable
bundleName	Local variable
category	categories
cloudAccountId	Local variable
cloudAccountExternalId	Local variable
cloudAccountType	Local variable
comments	Local variable
createdTime	sourceCreatedDate
entityExternalId	targets
entityName	Local variable
entityNetwork	Local variable
entityTags	Local variable
entitydome9Id	Local variable
entityType	Local variable
excluded	Local variable
findingKey	Local variable
lastSeenTime	lastFound
occurrences	Local variable
orgId	Local variable
orgPath	Local variable
origin	Local variable
ownerUserName	Local variable
region	region
remediationActions	Local variable
ruleId	type
scanId	Local variable
status	status, statusCategory
SYS_ID	uid
tag	tags
updatedTime	sourceLastModified

Alert Definition

Table 3: Alert Definition attribute mappings

Source Field Name	Maps to Attribute
acknowledged	Local variable
alertType	categories, Local variable
alertWindowEndTime	Local variable
alertWindowStartTime	Local variable
bundleId	Local variable
bundleName	Local variable
cloudAccountId	Local variable
cloudAccountExternalId	Local variable
cloudAccountType	Local variable
comments	Local variable
description	description
entitydome9Id	Local variable
excluded	Local variable
findingKey	Local variable
occurrences	Local variable
orgId	Local variable
orgPath	Local variable
origin	Local variable
remediation	recommendation
remediationActions	Local variable
ruleId	uid
ruleLogic	description
ruleName	name
scanId	Local variable
severity	severity, severityScore

Cloud Resource

Table 4: Cloud Resource attribute mappings

Source Field Name	Maps to Attribute
acknowledged	Local variable
alertType	categories, Local variable
alertWindowEndTime	Local variable
alertWindowStartTime	Local variable
bundleId	Local variable
bundleName	Local variable
cloudAccountId	Local variable
cloudAccountExternalId	Local variable
cloudAccountType	Local variable
comments	Local variable
entityExternalId	uid
entityType	categories
entityName	name (If not default or uid)
entityNetwork	Local variable
entityTags	tags
entitydome9Id	Local variable
excluded	Local variable
findingKey	Local variable
occurrences	Local variable
orgId	Local variable
orgPath	Local variable
origin	Local variable
remediationActions	Local variable
scanId	Local variable

info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

APIs

The Check Point CloudGuard connector uses the CloudGuard API v2. Specifically, it uses the following endpoints:

Table 5: Check Point CloudGuard API v2 Endpoints

Connector Object	API Endpoints
Alert	POST /v2/Compliance/Finding/search
Alert Definition	POST /v2/Compliance/Finding/search
Cloud Resource	POST /v2/Compliance/Finding/search

Changelog

The Check Point CloudGuard connector has undergone the following changes:

3.0.1

• Added a formatter to process Date Time attributes.

3.0.0

• Initial Integration+ release.