Harmony Email and Collaboration Lab Guide v1.3

Harmony Email &
Collaboration
Training Lab Guide

Version 1.3
©2021 Check Point Software Technologies Ltd. All rights reserved | P. 1

Contents
Harmony Email & Collaboration ........................................................................................................... 1
Training Lab Guide ............................................................................................................................... 1
Change log ............................................................................................................................................ 2
Introduction .......................................................................................................................................... 3
Lab Scope Training HEC Intro ............................................................................................................... 4
Environment information ..................................................................................................................... 4
Create an account in Portal Infinity and HEC ........................................................................................ 5
Connect to Harmony Email & Collaboration Portal ............................................................................. 8
Access to Office 365 Tenant ............................................................................................................... 12
Rule Configuration HEC ...................................................................................................................... 18
Lab #1 – Sending attack emails .......................................................................................................... 21
Lab Instructions .................................................................................................................................. 21
Lab #1 – Expected outcome ............................................................................................................... 23
Lab #2 – Investigation of Malware attack........................................................................................... 23
Lab #3– Customer Use Case – Phishing .............................................................................................. 31
Lab #4 – Customer Use Case – Failed Logins ...................................................................................... 35
Appendix - Custom Queries ............................................................................................................... 37
Put Evaluation License HEC ................................................................................................................ 45
Change log
Editor Date Version Comments
Javier 17-April-2022 V1.0 Initial document
Samaniego
Javier 5-May-2022 V1.3 Requirement Lab Enviroment
Samaniego

Introduction
Over 90% of attacks against organizations start from a malicious email. Since email attacks usually involve the human
factor, your Office 365 and G-Suite environments are your organization’s weakest link. Closing this security gap requires
protection from various threat vectors: phishing, Malware, account takeover and data theft.
This might force you to choose between the security level your need to what you can actually afford and efficiently manage.
With Harmony Email & Collaboration you get all the protection you need for Office 365 and G Suite email and
productivity apps in a single, efficient and cost effective solution, and at the highest-caliber security.
Main Capabilities
Main Benefits
Demo Background Story
Welcome !
You are the CISO of an organization, and you have just recently decided to move your email account to a cloud platform.
Your IT department decided to execute it fast, as it is very simple to migrate to the cloud and It will reduce the overload on
the team from managing the email operations.
The IT department didn’t follow the move with the security department and created a security risk.
You rushed to the best security vendor and requested assistance in getting a simple yet highly effective cloud base solution
to solve your security problem.
Check Point was of course, ready and willing to do the task and provide you with a solution that you can implement within
10 minutes.
Welcome to Harmony Email & Collaboration
Harmony Email & Collaboration was integrated in 10 minutes and immediately started to show value with the detection
of malicious and phishing emails.
The Demo you are about to perform use real-life use cases when first on-boarding to Harmony Email &
Collaboration and presenting the following demo scenarios on office 365 users :
 Sending Attack Emails

 Investigation of the Malware attack
 Investigation of the Phishing attack
 Investigation of failed logins

Lab Scope Training HEC Intro
1. Create an account in Portal Infinity and HEC
2. Connect to Harmony Email & Collaboration Portal
3. Access Tenant Office 365 (Demo Credentials)
4. Perform the integration of office356 and HEC
5. Create Rule for user in Prevent inline
6. Create Rule for user in Detect Mode
7. Conduct Demo Point Labs
8. Put Evaluation License
Environment information

Create an account in Portal Infinity and HEC
Note: Company name is “Harmony-NamePartner” for training

Notes: For Data Residency Region:
select United States

To activate Harmony Email & Collaboration:
2. Click on the menu icon and select Harmony Email & Collaboration.
3. Accept the terms of service and click Try Now.
Now, you can start using Harmony Email & Collaboration.
To start activating the SaaS applications, see Activating SaaS Applications.
In this guide, {portal} refers to your portal name.

Connect to Harmony Email & Collaboration Portal
Goal
Connect to the Harmony Email & Collaboration portal with the demo user and review the configuration. It is possible to
demonstrate Harmony Email & Collaboration with existing events and perform an overview of the solution
Discussion points
 Harmony Email & Collaboration application as part of the Check Point Infinity portal architecture
 Harmony Email & Collaboration components and policy overview
 Harmony Email & Collaboration capabilities
Instructions
Step Instructions
1 Open a browser (Chrome recommended) on your machine and browse to https://portal.checkpoint.com
2 Connect to the Infinity portal Created with the following User and Password:
User:
Partner-Email (account created in LAB Prerrequisites)
Password:
Xxxxxx
3 Choose the Harmony Email & Collaboration application
Workflow:
Step Description
1 Getting Started Wizard opens after activating Harmony Email & Collaboration.
2 Start activating the SaaS application(s) required.

3 Navigate to Overview and begin monitoring.
To begin the Getting Started wizard:
Click Let's Get Started.
The Cloud App Store screens opens.
Select the SaaS application you want to activate.
Activations are done through OAuth and require admin-level authentication and authorization. Make sure you have the adm
available for the SaaS you select to activate.
Notes:
The procedure to activate the SaaS application varies according to the application you select.
When a SaaS application is activated, it automatically starts the Monitor only mode. There is no change to the end-user's e
action or remediation is taken. However, you can already see events generated from the Infinity Portal.
Activating Office 365 Mail

Important - To activate Office 365 Mail, you must have administrator access to Office 365. In addition, the quara
which is managed by your company in Office 365. This license is not created automatically by Harmony E
the Automatic Mode for onboarding).
To activate Office 365 Mail:
Step Description
1 From the Getting Started Wizard click Start for Office 365 Mail.
or
Navigate to Config > Cloud App Store and click Start for Office 365 Mail.
2 Select the mode of operation for Office 365.

 Automatic mode
Harmony Email & Collaboration automatically configures Office 365 emails to operate
in Monitor only mode.
 Manual mode
You must manually perform the necessary configurations in the Office 365 Admin
Exchange Center before you bind the application to your Office 365 email account, and
every time you add or edit the security policy associated with Office 365 emails. For more
information, see Appendix A: Check Point Manual Integration with Office 365.
3 Accept the terms of service and click Ok.

4 In the Office 365 Authorization window that appears, sign in with your Microsoft administrator
credentials.
Note - Authentication is performed by Microsoft and these credentials are not provided by Check
Point.
5 In the authorization screen, click Accept to grant necessary permissions to Harmony Email &
Collaboration.
The Office 365 Mail SaaS is enabled and monitoring begins immediately.
Note - By default, Monitor only mode is assigned for all the SaaS applications you connect to. This allows you to immedi
that Harmony Email & Collaboration brings as it recognizes security incidents that occurred before on your SaaS platform.
protection, see Threat Detection Policy.
Activating Microsoft OneDrive

Important - To activate OneDrive, you must have administrator access to Office 365.
To activate OneDrive:
S
t
Description
e
p
1 From the Getting Started wizard or from the Cloud App Store, click Start for
Microsoft OneDrive.
The Authorization Scope window opens.
2 The Force Admin checkbox asks if you authorize the admin account to have
access to all files and folders on OneDrive.
This is needed if you want to monitor changes and security-risks across all files
and folders.
Best Practice - Select this checkbox.
Note - OneDrive end-users might notice that the administrator now has permissions to their files and folders.
3 Click Next.

You can now see the permissions:
4 Click OK to review and accept the list of permissions to grant Harmony Email &
Collaboration.
5 Click Accept.
Microsoft OneDrive is activated and the monitoring begins immediately.
Notes
 The last, non-custom ‘Detect’ rule is automatically created when on-boarding a customer to Office 365.
The system automatically creates a detection rule for all users and groups.
The Environment is already set for both detection and prevention types of behaviors
 It is possible to use previously sent emails and review existing information.

 It is preferred to perform a short overview of the portal and capabilities before the demonstration

Access to Office 365 Tenant
Open Admin
Open Azure Active Directory
Open Azure Enterprise Applications and Review CheckPoint Apps

Open Exchange
Open Connectors and review the Check Point Conectors created

Open Rules and review the Check Point Rules created

Open Classic Exchange Admin Center
Open Compliance Managenent and review Journal Rule

Open Security

Rule Configuration HEC
Note: Chose 2 existing users in office 365 Tenant and reset password
User A for Prevent Rule
User B for Detect Rule
Prevent Rule

Select a User Office 365 Tenant for Prevented Rule
Detect Rule
Select a User Office 365 Tenant for Detected Rule

https://sc1.checkpoint.com/documents/Sales_tools/DemoPoint/Harmony_Email_Collaboration/Topics/
Step1.htm?tocpath=Demo%20Steps%7CStep%201%20-%20Sending%20Attack%20Emails%7C_____0
Lab #1 – Sending attack emails

Lab Objectives – In this lab you will open an attacker email account on mailfence email and prepare
the attacks that will be used
Lab Instructions
Ste
Instructions
p
1 Open the browser (Chrome recommended) on your machine and browse to https://mailfence.com/
Note - Check Point employees may use the BYONic internal tool to send Malware and phishing
emails, Visit the following link
2 Login to the following account in Mailfence

Fill in the details according to the below guidance and click Login
Username = attackercgs
Password = Cpwins12345678!
3 Navigate to the Messages option
4 Click on ‘Malware’ Tag name, choose some latest samples and forward the emails with a malicious attachment

Ste
Instructions
p
5 Add your name and date to the subject to create a unique subject
6 Forward the email to the office365 protected users

1. detect@chkp-demodays.xyz - user policy set to detect
2. prevent@chkp-demodays.xyz - user policy set to prevent
7 Click on ‘Phishing’ Tag name, forward the email with ‘Phishing Scenario – December’ subject
8 Add your name and date to the subject to create a unique subject
9 Forward the email to the office365 protected users

1. detect@chkp-demodays.xyz - user policy set to detect
2. prevent@chkp-demodays.xyz - user policy set to prevent

Ste
Instructions
p
Lab #1 – Expected outcome

At the end of the lab you should have concluded the following:
 You were able to login to a dedicated attacker email account
 Malware scenario and phishing scenario emails were sent to an Office 365 Detect user email
address that is protected by Harmony Email & Collaboration detect rule
 Malware scenario and phishing scenario emails were sent to an Office 365 Prevent user email
address that is protected by Harmony Email & Collaboration prevent rule
Lab #2 – Investigation of Malware attack

Lab Objectives – In this lab you will investigate the Malware attack on the Office 365 user. You will
analyze the email attachments and will be able to respond to the event
Lab Instructions
Goal
Demonstrate an investigation of the Malware attack on each of the Office 365 users.
Show Harmony Email & Collaboration analysis and response to each event
Discussion points
 Advanced threat prevention engines that block malicious attachments and links before they reach users’ mailboxes

 Content Disarm and Reconstruction (Threat Extraction) that instantly delivers sanitized files to users
 Advanced Malware protection for cloud email and productivity suites without impacting business productivity
Instructions
Ste
Instructions
p
1 Navigate in the Harmony Email & Collaboration portal to the Events tab under the Email and Storage
Note - it is also possible to click the pending malware events from the overview screen
2 Filter for
Date=Last24h
State=New , Remediated
Type=Malware
SaaS=Office365 Emails
3 Find the events you sent by the subject of the email. You can search for your subject
4 Press the Check Point SandBlast in description of Remediated event to analyze the event

Ste
Instructions
p
5 Start from the Email Profile section to better understand the email information, format and status.
The following information is available:
a. Sender and all recipients – reflect on the sender to understand if this is a known sender or trusted sender,
and the recipients for potential risk in case of Malware
b. Mail subject and content type – Content type can show if this is plain text that has lower risk or HTML
with higher risk.
c. Email received date and time
d. Is Deleted – to understand if this email still poses a risk and users have access to the files. If it is deleted it
means users are protected and can’t access the email
e. You can review additional details like raw headers and body as well as download the mail for analysis
f. This section allows manually quarantining or restoring from quarantine for quarantine emails.
6 For New type events you can press “quarantine” to quarantine the email and Remediate the event.
For Remediated type event you can press restore from quarantine to restore the email for the recipients.

Ste
Instructions
p
7 Second analysis part will be the Security stack,

Where you can view all the Check Point inspection services verdicts.
You will only see verdicts for services that inspected the email

Ste
Instructions
p
Note - Anti-Phishing inspection service allows you to interact with the CGS portal and provide additional
information for the Machine learning models. The information provided will increase accuracy of the Anti-
Phishing inspection service
8 It is possible to create a blacklist rule to block new emails that matches the black list rule by clicking on ‘Similar
Emails / Create Rules’

Ste
Instructions
p
9 It is possible to report Mis-classification to reduce Anti-Phishing false positive or to increase the detection rate
10 You can see that Anti-Phishing and URL reputation didn’t detect anything, while an attachment was detected as an
insecure attachment
Note - for any type of detection you will see that red circle with an exclamation mark
11 Click on the malicious files from this section or on any file from the Email attachments section will allow to
further analyze the attachment detection results
Note - Every file that is detected as malicious will be marked, and it is possible to further investigate files
that are not detected as malicious. Information on every file can be further analyzed through the attachment
info

Ste
Instructions
p
12 We will now analyze the malicious attachment file.
Best Practice - When performing analysis, you should right click and open in new tab, otherwise it will
continue to use the same tab, which makes it harder to perform a wide range analysis
13 Attachment Analysis shows different type of information including:

a. Security stack – information on inspection service detection.
From here you can press the view report on the Threat Emulation detection to view the emulation report

Ste
Instructions
p
i. Emulation report is only available to malicious files.

i. Press the view report and go through the threat emulation report to understand more
about the Malware.
ii. Reporting a file as not malicious will create a security tool exception in the CGS portal
for this attachment
b. Email recipients- all recipients that were supposed to receive or received the attachment
c. Live Event log – shows all the relevant logs regarding this attachment
14 You can continue to review the event and related information.

 You were able to filter and locate the relevant malware event for Office365
 You performed analysis on the mail and attachment received

 You understand that even in detect mode it is possible to manually remediate event and see the
value.
Lab #3– Customer Use Case – Phishing

Lab Objectives – In this lab you will investigate the Phishing attack sent to the Office365 user. You
will analyze the email and will be able to respond to the event
Lab Instructions
Ste
Instructions
p
1 Navigate in the Harmony Email & Collaboration portal to the Events tab under the Email and Storage
 it is also possible to click the pending phishing events from the overview screen
2 Filter for
Date=Last24h
State=New, Remediated
Type=Phishing, Suspicious Phishing
SaaS=Office365 Emails
3 Find the events you sent by the subject of the email.

You can search for your subject
4 Press the attackercgs@mailfence.com in the event description to view user information, metadata, internal and
external collaborators

Ste
Instructions
p
5 Return to the events filter and press on the Email subject in the event description to analyze the event further
6 Start from the Email Profile section to better understand the email information, format and status.
The following information is available:
a. Sender and all recipients – reflect on the sender to understand if this is a known sender or trusted
sender, and the recipients for potential risk in case of phishing
b. Mail subject and content type – Content type can show if this is plain text that has lower risk or HTML
with higher risk since links are clickable
c. Email received date and time
d. Is Deleted – to understand if this email still poses a risk and users have access to the files. If it is deleted,
it means users are protected and can’t access the email
e. User Aliases – shows all user aliases.
f. Sender is external – higher chance of phishing
g. Any recipient is external – indicates that there are multiple recipients and not all internal.
 You can review additional details like raw headers and body as well as download the mail for analysis.
 This section allows manually quarantining or restoring from quarantine for quarantine emails.
7 It is possible to quarantine new type events and to restore remediated type events that were already quarantined

Ste
Instructions
p
8 The second analysis part will be the Security stack, where you can view all the Check Point inspection services
verdicts. You will only see verdicts for services that inspected the email
 Below is an example for URL Reputation detection, indicating the first step of phishing protection by
detecting known phishing domains.
o Anti-Phishing inspection service allows you to interact with the CGS portal and to provide additional
information for the Machine learning models. The information provided will increase the accuracy of the
Anti-Phishing inspection service

Ste
Instructions
p
9 Anti-Phishing block and allow rules can be set through the analysis of every event by clicking on ‘Similar Emails
/ Create Rules’ – see example screenshot below
10 You can set exceptions to the Anti-phishing and URL Reputation from the security stack.
o for any type of detection you will see that red circle with an exclamation mark, you can click it to view
more details
o In order to get the Anti-Phishing ML based detection , an email will have to bypass the first detection
based on known and then it will be detected by Anti-Phishing ML.
11 The Anti-Phishing inspection service will inspect the email and the URL reputation inspection service will
provide a verdict on hyperlinks in the email and attachments
In the case above the detection was performed with the URL reputation inspection service as known phishing url.
12 Live Event log – shows all the relevant logs regarding this event
Best Practice - To learn how to create custom query of delivered phishing emails, quarantining them- Please refer to the App

 You were able to filter and locate the relevant phishing event for Office365
 You performed analysis on the email and its sender and reasons for phishing detection
 You understand that even in detect mode it is possible to manually remediate event and see the
value.
Lab #4 – Customer Use Case – Failed Logins

Lab Objectives – In this lab you will create a custom query to understand if there are accounts under
attack, or account takeover attempts.
Lab Instructions
Step Instructions
1 Browse to portal.office.com

Step Instructions
2 Enter the following username = admin@chkpdemodaysxyz.onmicrosoft.com
3 Enter a random password to create a failed login event
Note - You will not be able to see your failed login event immediately, but you can review other failed
login events.
4 View the login events from the overview tab and change the view to failed login events
This is how you can have a correlated map view of all login attempts to view regions with failed and succeeded
login events and to monitor possible compromised or under attack accounts
5 To better understand and view all the relevant Login information,

Navigate to Email & Storage --> Analytics --> Custom queries
6 Search for query named Failed Login and click on it to view Failed Logins items
Best Practice - To learn how to create custom query event for Failed logins - Please refer to the Appendix

 You were able create a new custom query to detect failed logins
 You were able to identify the compromised user under an account takeover attack
 You understand that custom queries are a very strong tool that can be utilized to detect account
takeover attempts.

Appendix - Custom Queries
Important
Custom Queries can't be created with the demo user [Read Only] - Please don't try to follow these steps with the
demo user.
You can review the below steps for learning / reference.
Create Custom Query for Failed Logins
St
Instructions
ep
1 Navigate to Email & Storage --> Analytics --> Custom queries
2 Add a new query
3 Under “Query templates for Office 365 Emails” choose “show recent login events"

St
Instructions
ep
4 Add a new Condition for Login Status with the following parameters:
Condition=Result Status -> NOT, is, Succeeded
It is also possible to add a new condition from the columns and edit that condition

St
Instructions
ep
5 You can add a new condition for country to filter out countries that you expect to see logins.
Example: Select the Country Column and choose to NOT show Germany
The query will let you understand if there are failed logins attempts from countries that shouldn’t be there to
indicate a possible account takeover attack
6 Remove the time condition to set it to a longer period to review more information
7 Press the Cog wheel on the top right corner and press Edit Conditions
This screen allows you to create a more complex query with “AND” and “OR” logic

St
Instructions
ep
8 Review the information and answer the question “Who is the user being targeted by an account takeover attack”?
Creating a simple custom query to quarantine
Goal
Demonstrate an investigation of a simple custom query of delivered phishing emails, quarantining them
Discussion points
 Investigate all data seen by Harmony Email & Collaboration through custom queries
 Perform bulk actions on custom queries
Instructions
Ste
Instructions
p
1 Navigate to Email & Storage --> Analytics --> Custom queries
2 Add a new query
3 Under query template for Office365, choose show recent emails template

Ste
Instructions
p
4 Sort the Email date column -> sort descending
5 Add a new condition to view all emails with phishing verdict

Condition= Security Stack->Anti-Phishing>Phishing Status->is one of Phishing
 For the Anti-Phishing ML detection use the Anti-Phishing instead of URL Reputation

Ste
Instructions
p
6 Add a new Column > Quarantine state to view the quarantine state of each mail
7 Add a condition from the “subject” column of results to filter in the phishing emails that you sent

Ste
Instructions
p
8 Add a condition from the “is quarantined” column of the results to filter out quarantined emails
9 Save the query by clicking on the query menu button and choose save as…
10 Fill in the details and Click OK to save

Ste
Instructions
p
11 After the query is save, the manual actions button will be available to perform a quarantine of the desired emails
12 Choose the email that you want to quarantine and press the manual actions button
13 Choose quarantine, Click OK and OK once more to confirm.
14 Following the quarantine action, press the refresh button (or choose refresh from the manual actions button) and
show that the email disappears from the query as it was quarantined.

Create a Account for Training

Put Evaluation License HEC
Go to https://usercenter.checkpoint.com/
Select Other Evaluation Option – then Select Harmony Email and Colaboration

Attach License Evaluation Contract to Portal HEC


Harmony Email and Collaboration Lab Guide v1.3

Uploaded by

Copyright:

Available Formats

Harmony Email and Collaboration Lab Guide v1.3

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Harmony Email and Collaboration Lab Guide v1.3

Uploaded by

Copyright:

Available Formats

Harmony Email &

Training Lab Guide

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 1

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 2

Demo Background Story

Welcome to Harmony Email & Collaboration

 Sending Attack Emails

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 3

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 4

Note: Company name is “Harmony-NamePartner” for training

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 5

3. Accept the terms of service and click Try Now.

Now, you can start using Harmony Email & Collaboration.

To start activating the SaaS applications, see Activating SaaS Applications.

In this guide, {portal} refers to your portal name.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 7

 Harmony Email & Collaboration components and policy overview

 Harmony Email & Collaboration capabilities

1 Open a browser (Chrome recommended) on your machine and browse to https://portal.checkpoint.com

3 Choose the Harmony Email & Collaboration application

2 Start activating the SaaS application(s) required.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 8

Activating Office 365 Mail

To activate Office 365 Mail:

2 Select the mode of operation for Office 365.

3 Accept the terms of service and click Ok.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 9

Activating Microsoft OneDrive

Best Practice - Select this checkbox.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 10

 It is possible to use previously sent emails and review existing information.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 11

Open Azure Active Directory

Open Azure Enterprise Applications and Review CheckPoint Apps

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 12

Open Connectors and review the Check Point Conectors created

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 13

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 14

Open Compliance Managenent and review Journal Rule

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 15

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 16

User A for Prevent Rule

User B for Detect Rule

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 18

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 19

Lab #1 – Sending attack emails

2 Login to the following account in Mailfence

3 Navigate to the Messages option

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 21

6 Forward the email to the office365 protected users

9 Forward the email to the office365 protected users

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 22

Lab #1 – Expected outcome

Lab #2 – Investigation of Malware attack

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 23

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 24

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 25

7 Second analysis part will be the Security stack,

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 26