Checkpoint Avanan Quarantine

Checkpoint Harmony Email Quarantine Management

Overview

Checkpoint Harmony Email & Collaboration (Avanan) quarantines emails that match security policies before they reach the end user's inbox. The quarantine system is the primary interface for reviewing flagged emails, releasing false positives, and managing email flow. This skill covers comprehensive quarantine management including search, review, release workflows, bulk operations, and quarantine configuration.

Quarantine Reasons

Emails are quarantined based on the detection engine that flagged them:

Reason Code	Name	Description	Typical Action
PHISHING	Phishing	Suspected phishing attempt	Review sender, URLs, release if legitimate
MALWARE	Malware	Malicious attachment or link detected	Almost never release; escalate to incident
SPAM	Spam	Bulk or unsolicited email	Release if legitimate business email
DLP	Data Loss Prevention	Outbound email violates DLP policy	Review content, release if authorized
BEC	Business Email Compromise	Impersonation or fraud attempt	Investigate thoroughly before any release
ANOMALY	Anomaly Detection	Unusual sender behavior detected	Compare against known sender patterns
POLICY	Policy Violation	Custom policy rule triggered	Check which policy matched, release if appropriate
BULK	Bulk Mail	Marketing or newsletter content	Release if subscribed/wanted

Severity Mapping

Severity	Quarantine Reasons	Auto-Release Eligible
Critical	MALWARE, BEC	No - requires manual review
High	PHISHING	No - requires manual review
Medium	DLP, ANOMALY, POLICY	Configurable per policy
Low	SPAM, BULK	Yes - if admin configured

Complete Quarantine Field Reference

Core Fields

Field	Type	Description
entityId	string	Unique quarantine entry identifier
messageId	string	Email message ID (RFC 5322)
subject	string	Email subject line
sender	string	Sender email address
senderDisplayName	string	Sender display name (may differ from address)
recipients	string[]	List of recipient email addresses
receivedDate	datetime	When the email was received
quarantinedDate	datetime	When the email was quarantined

Classification Fields

Field	Type	Description
quarantineReason	string	Why the email was quarantined (see codes above)
confidenceLevel	string	Detection confidence: HIGH, MEDIUM, LOW
severity	string	Threat severity: CRITICAL, HIGH, MEDIUM, LOW
detectionEngine	string	Which engine flagged the email
policyName	string	Name of the policy that triggered quarantine

Content Fields

Field	Type	Description
hasAttachments	boolean	Whether email contains attachments
attachmentNames	string[]	List of attachment filenames
attachmentHashes	string[]	SHA-256 hashes of attachments
containsUrls	boolean	Whether email body contains URLs
urlCount	int	Number of URLs in the email
bodyPreview	string	First 200 characters of email body

Status Fields

Field	Type	Description
status	string	Current status: QUARANTINED, RELEASED, DELETED
releasedBy	string	Who released the email (if released)
releasedDate	datetime	When the email was released
expiresDate	datetime	When quarantine entry auto-deletes

MCP Tools

Tool	Description	Key Parameters
avanan_quarantine_list	List quarantined emails with filters	startDate, endDate, reason, severity, status, limit, offset
avanan_quarantine_get	Get detailed quarantine entry	entityId
avanan_quarantine_release	Release email(s) from quarantine	entityIds, releaseToRecipients, addToAllowList
avanan_quarantine_delete	Permanently delete quarantined email(s)	entityIds, reason
avanan_quarantine_search	Search quarantine by sender, recipient, subject	query, field, startDate, endDate
avanan_quarantine_stats	Get quarantine statistics and trends	startDate, endDate, groupBy

Tool Usage Examples

List recent quarantined emails:

{
  "tool": "avanan_quarantine_list",
  "parameters": {
    "startDate": "2024-02-01T00:00:00Z",
    "endDate": "2024-02-15T23:59:59Z",
    "status": "QUARANTINED",
    "limit": 50
  }
}

Search by sender:

{
  "tool": "avanan_quarantine_search",
  "parameters": {
    "query": "suspicious@external-domain.com",
    "field": "sender",
    "startDate": "2024-02-01T00:00:00Z"
  }
}

Release with allow-list:

{
  "tool": "avanan_quarantine_release",
  "parameters": {
    "entityIds": ["qe-abc123", "qe-def456"],
    "releaseToRecipients": true,
    "addToAllowList": true
  }
}

Common Workflows

False Positive Review Workflow

1. User reports missing email - Check quarantine for the expected message
2. Search quarantine by sender address and date range
3. Review quarantine entry - Check reason, confidence, severity
4. Verify legitimacy:
   • Compare sender address vs display name (BEC indicator)
   • Check if sender is known/expected
   • Review attachment types and URL destinations
   • Check confidence level of detection
5. Release if legitimate:
   • Release to original recipients
   • Optionally add sender to allow list
   • Document the false positive for policy tuning
6. If suspicious - Escalate to incident investigation

Bulk Quarantine Review Workflow

1. List quarantined emails for the review period (e.g., last 24 hours)
2. Group by quarantine reason to prioritize review
3. Review SPAM/BULK first - highest false positive rate
4. Review POLICY matches - check if policy is too broad
5. Review PHISHING/BEC last - most likely true positives
6. Bulk release confirmed false positives
7. Bulk delete confirmed threats

Quarantine Expiry Management

Quarantined emails auto-delete after the configured retention period (default: 30 days).

Day 1-7:   Email in quarantine, available for review
Day 8-14:  Email still available, notification sent to admin
Day 15-30: Email nearing expiry
Day 30+:   Email permanently deleted

To extend retention: Release and re-quarantine, or export before expiry.

Error Handling

Common API Errors

Code	Message	Resolution
400	Invalid date range	Ensure startDate is before endDate, max 90-day range
400	Invalid entity ID	Verify the quarantine entity ID exists
401	Unauthorized	Check API credentials and token expiry
403	Insufficient permissions	API key needs quarantine management scope
404	Quarantine entry not found	Entry may have expired or been deleted
409	Already released	Email was already released from quarantine
429	Rate limited	Implement exponential backoff

Validation Errors

Error	Cause	Fix
Date range too wide	Exceeds 90-day maximum	Narrow the date range
Too many entity IDs	Bulk operation exceeds 100 items	Split into smaller batches
Invalid reason filter	Unrecognized quarantine reason	Use valid reason codes from reference above
Expired entry	Quarantine retention period passed	Entry cannot be recovered

Best Practices

1. Review quarantine daily - Prevents legitimate emails from expiring undelivered
2. Start with low-severity items - SPAM/BULK have highest false positive rates
3. Never release MALWARE without investigation - Even if the user requests it
4. Use allow lists judiciously - Over-broad allow lists weaken security posture
5. Document release decisions - Helps tune policies and track patterns
6. Monitor quarantine volume trends - Sudden spikes may indicate a targeted attack
7. Batch operations for efficiency - Use bulk release/delete for large review sets
8. Check sender display name vs address - Mismatches are a strong BEC indicator

Related Skills

• Checkpoint Threats - Threat detection and analysis
• Checkpoint Incidents - Incident investigation
• Checkpoint Policies - Policy management
• Checkpoint API Patterns - Authentication and API usage