Harmony Email and Collaboration Lab Guide v1.3
Harmony Email and Collaboration Lab Guide v1.3
Harmony Email and Collaboration Lab Guide v1.3
Collaboration
Change log
Editor Date Version Comments
Javier 17-April-2022 V1.0 Initial document
Samaniego
Javier 5-May-2022 V1.3 Requirement Lab Enviroment
Samaniego
Over 90% of attacks against organizations start from a malicious email. Since email attacks usually involve the human
factor, your Office 365 and G-Suite environments are your organization’s weakest link. Closing this security gap requires
protection from various threat vectors: phishing, Malware, account takeover and data theft.
This might force you to choose between the security level your need to what you can actually afford and efficiently manage.
With Harmony Email & Collaboration you get all the protection you need for Office 365 and G Suite email and
productivity apps in a single, efficient and cost effective solution, and at the highest-caliber security.
Main Capabilities
Main Benefits
Welcome !
You are the CISO of an organization, and you have just recently decided to move your email account to a cloud platform.
Your IT department decided to execute it fast, as it is very simple to migrate to the cloud and It will reduce the overload on
the team from managing the email operations.
The IT department didn’t follow the move with the security department and created a security risk.
You rushed to the best security vendor and requested assistance in getting a simple yet highly effective cloud base solution
to solve your security problem.
Check Point was of course, ready and willing to do the task and provide you with a solution that you can implement within
10 minutes.
Harmony Email & Collaboration was integrated in 10 minutes and immediately started to show value with the detection
of malicious and phishing emails.
The Demo you are about to perform use real-life use cases when first on-boarding to Harmony Email &
Collaboration and presenting the following demo scenarios on office 365 users :
Environment information
2. Click on the menu icon and select Harmony Email & Collaboration.
Connect to the Harmony Email & Collaboration portal with the demo user and review the configuration. It is possible to
demonstrate Harmony Email & Collaboration with existing events and perform an overview of the solution
Discussion points
Harmony Email & Collaboration application as part of the Check Point Infinity portal architecture
Instructions
Step Instructions
2 Connect to the Infinity portal Created with the following User and Password:
User:
Partner-Email (account created in LAB Prerrequisites)
Password:
Xxxxxx
Workflow:
Step Description
1 Getting Started Wizard opens after activating Harmony Email & Collaboration.
which is managed by your company in Office 365. This license is not created automatically by Harmony E
the Automatic Mode for onboarding).
Step Description
1 From the Getting Started Wizard click Start for Office 365 Mail.
or
Navigate to Config > Cloud App Store and click Start for Office 365 Mail.
5 In the authorization screen, click Accept to grant necessary permissions to Harmony Email &
Collaboration.
The Office 365 Mail SaaS is enabled and monitoring begins immediately.
Note - By default, Monitor only mode is assigned for all the SaaS applications you connect to. This allows you to immedi
that Harmony Email & Collaboration brings as it recognizes security incidents that occurred before on your SaaS platform.
protection, see Threat Detection Policy.
1 From the Getting Started wizard or from the Cloud App Store, click Start for
Microsoft OneDrive.
The Authorization Scope window opens.
2 The Force Admin checkbox asks if you authorize the admin account to have
access to all files and folders on OneDrive.
This is needed if you want to monitor changes and security-risks across all files
and folders.
Note - OneDrive end-users might notice that the administrator now has permissions to their files and folders.
3 Click Next.
4 Click OK to review and accept the list of permissions to grant Harmony Email &
Collaboration.
5 Click Accept.
Microsoft OneDrive is activated and the monitoring begins immediately.
Notes
The last, non-custom ‘Detect’ rule is automatically created when on-boarding a customer to Office 365.
The system automatically creates a detection rule for all users and groups.
The Environment is already set for both detection and prevention types of behaviors
Prevent Rule
Detect Rule
Select a User Office 365 Tenant for Detected Rule
Lab Instructions
Ste
Instructions
p
1 Open the browser (Chrome recommended) on your machine and browse to https://mailfence.com/
Note - Check Point employees may use the BYONic internal tool to send Malware and phishing
emails, Visit the following link
4 Click on ‘Malware’ Tag name, choose some latest samples and forward the emails with a malicious attachment
5 Add your name and date to the subject to create a unique subject
7 Click on ‘Phishing’ Tag name, forward the email with ‘Phishing Scenario – December’ subject
8 Add your name and date to the subject to create a unique subject
Lab Instructions
Goal
Demonstrate an investigation of the Malware attack on each of the Office 365 users.
Show Harmony Email & Collaboration analysis and response to each event
Discussion points
Advanced threat prevention engines that block malicious attachments and links before they reach users’ mailboxes
Advanced Malware protection for cloud email and productivity suites without impacting business productivity
Instructions
Ste
Instructions
p
1 Navigate in the Harmony Email & Collaboration portal to the Events tab under the Email and Storage
Note - it is also possible to click the pending malware events from the overview screen
2 Filter for
Date=Last24h
State=New , Remediated
Type=Malware
SaaS=Office365 Emails
3 Find the events you sent by the subject of the email. You can search for your subject
4 Press the Check Point SandBlast in description of Remediated event to analyze the event
5 Start from the Email Profile section to better understand the email information, format and status.
The following information is available:
a. Sender and all recipients – reflect on the sender to understand if this is a known sender or trusted sender,
and the recipients for potential risk in case of Malware
b. Mail subject and content type – Content type can show if this is plain text that has lower risk or HTML
with higher risk.
c. Email received date and time
d. Is Deleted – to understand if this email still poses a risk and users have access to the files. If it is deleted it
means users are protected and can’t access the email
e. You can review additional details like raw headers and body as well as download the mail for analysis
f. This section allows manually quarantining or restoring from quarantine for quarantine emails.
6 For New type events you can press “quarantine” to quarantine the email and Remediate the event.
For Remediated type event you can press restore from quarantine to restore the email for the recipients.
Note - Anti-Phishing inspection service allows you to interact with the CGS portal and provide additional
information for the Machine learning models. The information provided will increase accuracy of the Anti-
Phishing inspection service
8 It is possible to create a blacklist rule to block new emails that matches the black list rule by clicking on ‘Similar
Emails / Create Rules’
9 It is possible to report Mis-classification to reduce Anti-Phishing false positive or to increase the detection rate
10 You can see that Anti-Phishing and URL reputation didn’t detect anything, while an attachment was detected as an
insecure attachment
Note - for any type of detection you will see that red circle with an exclamation mark
11 Click on the malicious files from this section or on any file from the Email attachments section will allow to
further analyze the attachment detection results
Note - Every file that is detected as malicious will be marked, and it is possible to further investigate files
that are not detected as malicious. Information on every file can be further analyzed through the attachment
info
Best Practice - When performing analysis, you should right click and open in new tab, otherwise it will
continue to use the same tab, which makes it harder to perform a wide range analysis
b. Email recipients- all recipients that were supposed to receive or received the attachment
c. Live Event log – shows all the relevant logs regarding this attachment
Lab Instructions
Ste
Instructions
p
1 Navigate in the Harmony Email & Collaboration portal to the Events tab under the Email and Storage
it is also possible to click the pending phishing events from the overview screen
2 Filter for
Date=Last24h
State=New, Remediated
Type=Phishing, Suspicious Phishing
SaaS=Office365 Emails
4 Press the attackercgs@mailfence.com in the event description to view user information, metadata, internal and
external collaborators
5 Return to the events filter and press on the Email subject in the event description to analyze the event further
6 Start from the Email Profile section to better understand the email information, format and status.
The following information is available:
a. Sender and all recipients – reflect on the sender to understand if this is a known sender or trusted
sender, and the recipients for potential risk in case of phishing
b. Mail subject and content type – Content type can show if this is plain text that has lower risk or HTML
with higher risk since links are clickable
c. Email received date and time
d. Is Deleted – to understand if this email still poses a risk and users have access to the files. If it is deleted,
it means users are protected and can’t access the email
e. User Aliases – shows all user aliases.
f. Sender is external – higher chance of phishing
g. Any recipient is external – indicates that there are multiple recipients and not all internal.
You can review additional details like raw headers and body as well as download the mail for analysis.
This section allows manually quarantining or restoring from quarantine for quarantine emails.
7 It is possible to quarantine new type events and to restore remediated type events that were already quarantined
8 The second analysis part will be the Security stack, where you can view all the Check Point inspection services
verdicts. You will only see verdicts for services that inspected the email
Below is an example for URL Reputation detection, indicating the first step of phishing protection by
detecting known phishing domains.
o Anti-Phishing inspection service allows you to interact with the CGS portal and to provide additional
information for the Machine learning models. The information provided will increase the accuracy of the
Anti-Phishing inspection service
9 Anti-Phishing block and allow rules can be set through the analysis of every event by clicking on ‘Similar Emails
/ Create Rules’ – see example screenshot below
10 You can set exceptions to the Anti-phishing and URL Reputation from the security stack.
o for any type of detection you will see that red circle with an exclamation mark, you can click it to view
more details
o In order to get the Anti-Phishing ML based detection , an email will have to bypass the first detection
based on known and then it will be detected by Anti-Phishing ML.
11 The Anti-Phishing inspection service will inspect the email and the URL reputation inspection service will
provide a verdict on hyperlinks in the email and attachments
In the case above the detection was performed with the URL reputation inspection service as known phishing url.
12 Live Event log – shows all the relevant logs regarding this event
Best Practice - To learn how to create custom query of delivered phishing emails, quarantining them- Please refer to the App
Lab Instructions
Step Instructions
1 Browse to portal.office.com
Note - You will not be able to see your failed login event immediately, but you can review other failed
login events.
4 View the login events from the overview tab and change the view to failed login events
This is how you can have a correlated map view of all login attempts to view regions with failed and succeeded
login events and to monitor possible compromised or under attack accounts
6 Search for query named Failed Login and click on it to view Failed Logins items
Best Practice - To learn how to create custom query event for Failed logins - Please refer to the Appendix
St
Instructions
ep
3 Under “Query templates for Office 365 Emails” choose “show recent login events"
4 Add a new Condition for Login Status with the following parameters:
Condition=Result Status -> NOT, is, Succeeded
It is also possible to add a new condition from the columns and edit that condition
5 You can add a new condition for country to filter out countries that you expect to see logins.
Example: Select the Country Column and choose to NOT show Germany
The query will let you understand if there are failed logins attempts from countries that shouldn’t be there to
indicate a possible account takeover attack
6 Remove the time condition to set it to a longer period to review more information
7 Press the Cog wheel on the top right corner and press Edit Conditions
This screen allows you to create a more complex query with “AND” and “OR” logic
8 Review the information and answer the question “Who is the user being targeted by an account takeover attack”?
Goal
Demonstrate an investigation of a simple custom query of delivered phishing emails, quarantining them
Discussion points
Investigate all data seen by Harmony Email & Collaboration through custom queries
Instructions
Ste
Instructions
p
3 Under query template for Office365, choose show recent emails template
6 Add a new Column > Quarantine state to view the quarantine state of each mail
7 Add a condition from the “subject” column of results to filter in the phishing emails that you sent
8 Add a condition from the “is quarantined” column of the results to filter out quarantined emails
9 Save the query by clicking on the query menu button and choose save as…
11 After the query is save, the manual actions button will be available to perform a quarantine of the desired emails
12 Choose the email that you want to quarantine and press the manual actions button
14 Following the quarantine action, press the refresh button (or choose refresh from the manual actions button) and
show that the email disappears from the query as it was quarantined.
Select Other Evaluation Option – then Select Harmony Email and Colaboration