Checkpoint Harmony Email Incident Investigation
Overview
Checkpoint Harmony Email & Collaboration (Avanan) provides an incident management system for tracking and investigating email security events. Incidents are created when threats require coordinated investigation and response beyond simple quarantine actions. This skill covers the full incident lifecycle from creation through investigation, remediation, and closure.
Incident Status Codes
| Status ID | Name | Description | Business Logic |
|---|
| NEW | New | Newly created incident | Default for auto-generated incidents |
| TRIAGING | Triaging | Under initial assessment | Analyst evaluating scope and severity |
| INVESTIGATING | Investigating | Active investigation underway | Evidence being collected and analyzed |
| REMEDIATING | Remediating | Threat confirmed, remediation in progress | Containment and cleanup actions active |
| WAITING | Waiting on Info | Waiting for additional information | Pending customer/vendor response |
| ESCALATED | Escalated | Escalated to senior analyst or vendor | Requires higher-tier expertise |
| RESOLVED | Resolved | Investigation complete, threat remediated | All remediation actions completed |
| CLOSED | Closed | Incident closed after review | Final documentation complete |
| FALSE_POSITIVE | False Positive | Determined not to be a real threat | Detection was incorrect |
Status Transition Rules
NEW ──────────────────────────────────> CLOSED
│ ↑
↓ │
TRIAGING ─────────────────────────────> FALSE_POSITIVE
│ ↑
↓ │
INVESTIGATING ────────────────────────>───┤
│ │ │
│ ↓ │
│ WAITING ──────> INVESTIGATING │
│ │
↓ │
REMEDIATING ──────────────────────────> RESOLVED ──> CLOSED
│
↓
ESCALATED ──────> INVESTIGATING ──────> REMEDIATING
Validation Rules:
- RESOLVED requires remediation summary
- CLOSED requires final review notes
- FALSE_POSITIVE requires justification
- ESCALATED requires escalation reason
- REMEDIATING requires at least one remediation action logged
Incident Severity Levels
| Severity | Name | Response SLA | Description | Examples |
|---|
| P1 | Critical | 1 hour | Active data breach or widespread compromise | ATO with data exfiltration, ransomware delivery |
| P2 | High | 4 hours | Confirmed targeted attack or limited compromise | Successful phishing, BEC with financial impact |
| P3 | Medium | 24 hours | Detected threat, no confirmed compromise | Quarantined phishing campaign, blocked malware |
| P4 | Low | 72 hours | Minor security event, informational | Spam campaign, policy violation, anomaly |
Complete Incident Field Reference
Core Fields
| Field | Type | Description |
|---|
incidentId | string | Unique incident identifier |
title | string | Brief incident summary |
description | string | Detailed incident description |
status | string | Current status (see codes above) |
severity | string | P1, P2, P3, P4 |
assignedTo | string | Analyst assigned to the incident |
createdDate | datetime | When incident was created |
modifiedDate | datetime | Last modification timestamp |
Classification Fields
| Field | Type | Description |
|---|
category | string | PHISHING, MALWARE, BEC, ATO, DLP, OTHER |
subcategory | string | More specific classification |
attackVector | string | EMAIL_ATTACHMENT, EMAIL_LINK, EMAIL_CONTENT, ACCOUNT_COMPROMISE |
source | string | AUTO_DETECTED, USER_REPORTED, ADMIN_CREATED |
affectedUsers | string[] | List of affected user email addresses |
affectedUserCount | int | Number of affected users |
Related Entity Fields
| Field | Type | Description |
|---|
relatedThreats | string[] | Threat IDs associated with this incident |
relatedQuarantineEntries | string[] | Quarantine entry IDs |
relatedPolicies | string[] | Policies that triggered |
iocs | object[] | Indicators of compromise collected |
Resolution Fields
| Field | Type | Description |
|---|
remediationSummary | string | Summary of remediation actions taken |
remediationActions | object[] | List of actions with timestamps |
rootCause | string | Root cause analysis |
lessonsLearned | string | Post-incident lessons learned |
falsePositiveReason | string | Justification if marked false positive |
resolvedDate | datetime | When marked as resolved |
closedDate | datetime | When incident was closed |
MCP Tools
| Tool | Description | Key Parameters |
|---|
avanan_incidents_list | List incidents with filters | startDate, endDate, status, severity, category, limit, offset |
avanan_incidents_get | Get detailed incident information | incidentId |
avanan_incidents_create | Create a new incident | title, description, severity, category, relatedThreats |
avanan_incidents_update | Update incident status and fields | incidentId, status, severity, assignedTo, etc. |
avanan_incidents_add_note | Add investigation note to incident | incidentId, note, noteType, visibility |
avanan_incidents_add_evidence | Attach evidence to incident | incidentId, evidenceType, data, description |
avanan_incidents_list_notes | List all notes for an incident | incidentId |
avanan_incidents_timeline | Get incident activity timeline | incidentId |
avanan_incidents_stats | Get incident statistics | startDate, endDate, groupBy |
Tool Usage Examples
List open critical incidents:
{
"tool": "avanan_incidents_list",
"parameters": {
"status": "NEW,TRIAGING,INVESTIGATING,REMEDIATING",
"severity": "P1",
"limit": 50
}
}
Create incident from detected threat:
{
"tool": "avanan_incidents_create",
"parameters": {
"title": "Targeted phishing campaign against finance team",
"description": "Multiple phishing emails detected targeting finance@company.com with credential harvesting links impersonating DocuSign.",
"severity": "P2",
"category": "PHISHING",
"relatedThreats": ["threat-abc123", "threat-def456"]
}
}
Add investigation note:
{
"tool": "avanan_incidents_add_note",
"parameters": {
"incidentId": "inc-abc123",
"note": "Confirmed 3 users clicked the phishing link. Password resets initiated for all 3 accounts. Checking for signs of credential use.",
"noteType": "INVESTIGATION",
"visibility": "INTERNAL"
}
}
Update incident to resolved:
{
"tool": "avanan_incidents_update",
"parameters": {
"incidentId": "inc-abc123",
"status": "RESOLVED",
"remediationSummary": "All phishing emails quarantined. 3 affected users had passwords reset. No evidence of credential use. Sender domain added to block list."
}
}
Common Workflows
Incident Triage Workflow
- Review new incident - Read title, description, severity, related threats
- Assess initial severity:
- How many users affected?
- What threat type?
- Any evidence of user interaction (clicks, downloads)?
- Set status to TRIAGING
- Assign to appropriate analyst based on severity and expertise
- Add initial triage note documenting assessment
- Escalate if needed - P1 incidents require immediate escalation
Investigation Workflow
- Set status to INVESTIGATING
- Collect evidence:
- Email headers and content
- URL analysis resul