Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From checkpoint-avanan
Analyzes Checkpoint Harmony Email (Avanan) threats including phishing, malware, BEC, ATO; extracts IOCs, builds threat timelines, assesses severity for email security investigations.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin checkpoint-avananHow this skill is triggered — by the user, by Claude, or both
Slash command
/checkpoint-avanan:threatsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Checkpoint Harmony Email & Collaboration (Avanan) uses multiple detection engines to identify email-borne threats before they reach end users. The threat detection system covers phishing, malware, business email compromise (BEC), account takeover (ATO), and zero-day attacks. This skill covers threat types, detection engines, IOC extraction, timeline analysis, and investigation workflows.
Analyzes Abnormal Security email threats like BEC, phishing, malware, social engineering, spam, graymail, and credential theft. Covers threat types, attack vectors, severity assessment, remediation, and investigation workflows.
Provides Proofpoint threat intelligence on campaigns, families, actors, IOCs, and forensics for tracking, attributing, and investigating email threats.
Evaluates threat reports in LimaCharlie orgs: extracts IOCs (hashes, IPs, domains, paths), hunts compromises, generates LCQL queries and D&R rules for investigations.
Share bugs, ideas, or general feedback.
Checkpoint Harmony Email & Collaboration (Avanan) uses multiple detection engines to identify email-borne threats before they reach end users. The threat detection system covers phishing, malware, business email compromise (BEC), account takeover (ATO), and zero-day attacks. This skill covers threat types, detection engines, IOC extraction, timeline analysis, and investigation workflows.
| Type | Code | Description | Severity Range |
|---|---|---|---|
| Phishing | PHISHING | Credential harvesting via fake login pages or deceptive links | Medium - Critical |
| Spear Phishing | SPEAR_PHISHING | Targeted phishing aimed at specific individuals | High - Critical |
| Malware | MALWARE | Malicious attachments or drive-by download links | High - Critical |
| Ransomware | RANSOMWARE | Ransomware payload in attachment or link | Critical |
| BEC | BEC | Business email compromise / CEO fraud | High - Critical |
| Account Takeover | ATO | Compromised internal account sending malicious email | Critical |
| Zero-Day | ZERO_DAY | Previously unknown threat detected by sandbox | Critical |
| Spam | SPAM | Unsolicited bulk email | Low |
| Bulk | BULK | Marketing/newsletter content | Low |
| DLP Violation | DLP | Outbound data loss prevention trigger | Medium - High |
| Engine | Description | Threat Types Detected |
|---|---|---|
| Anti-Phishing | URL reputation, page similarity, brand impersonation | PHISHING, SPEAR_PHISHING |
| Anti-Malware | Signature-based and heuristic file scanning | MALWARE, RANSOMWARE |
| Sandbox | Dynamic analysis of attachments in isolated environment | MALWARE, RANSOMWARE, ZERO_DAY |
| AI/ML Engine | Machine learning models for anomaly and impersonation detection | BEC, ATO, SPEAR_PHISHING |
| URL Rewriting | Click-time URL scanning and rewriting | PHISHING, MALWARE |
| DLP Engine | Content inspection against data loss policies | DLP |
| Anti-Spam | Reputation and content-based spam filtering | SPAM, BULK |
| Field | Type | Description |
|---|---|---|
threatId | string | Unique threat identifier |
type | string | Threat type code (see table above) |
severity | string | CRITICAL, HIGH, MEDIUM, LOW |
confidenceScore | int | Detection confidence 0-100 |
detectedDate | datetime | When the threat was first detected |
detectionEngine | string | Which engine identified the threat |
status | string | DETECTED, QUARANTINED, REMEDIATED, FALSE_POSITIVE |
| Field | Type | Description |
|---|---|---|
messageId | string | Email message ID (RFC 5322) |
subject | string | Email subject line |
sender | string | Sender email address |
senderDisplayName | string | Sender display name |
senderIp | string | Originating IP address |
recipients | string[] | Target recipient addresses |
recipientCount | int | Number of recipients targeted |
direction | string | INBOUND, OUTBOUND, INTERNAL |
| Field | Type | Description |
|---|---|---|
urls | object[] | Malicious URLs found in email body/attachments |
urls[].url | string | The full URL |
urls[].verdict | string | MALICIOUS, SUSPICIOUS, CLEAN |
urls[].category | string | Phishing page, malware host, C2 server, etc. |
domains | string[] | Suspicious domains extracted from URLs and headers |
ipAddresses | string[] | IP addresses associated with the threat |
fileHashes | object[] | Hashes of malicious attachments |
fileHashes[].sha256 | string | SHA-256 hash |
fileHashes[].md5 | string | MD5 hash |
fileHashes[].fileName | string | Original filename |
fileHashes[].verdict | string | MALICIOUS, SUSPICIOUS, CLEAN |
| Field | Type | Description |
|---|---|---|
receivedDate | datetime | When email entered the mail system |
scannedDate | datetime | When scanning completed |
quarantinedDate | datetime | When email was quarantined (if applicable) |
remediatedDate | datetime | When threat was remediated |
reportedDate | datetime | When user reported (if user-reported) |
| Tool | Description | Key Parameters |
|---|---|---|
avanan_threats_list | List detected threats with filters | startDate, endDate, type, severity, status, limit, offset |
avanan_threats_get | Get detailed threat analysis | threatId |
avanan_threats_iocs | Extract IOCs from a threat | threatId, iocTypes |
avanan_threats_timeline | Get threat detection timeline | threatId |
avanan_threats_search | Search threats by various criteria | query, field, startDate, endDate, type |
avanan_threats_stats | Get threat statistics and trends | startDate, endDate, groupBy |
avanan_threats_mark_false_positive | Mark threat as false positive | threatId, reason |
List critical threats from last 24 hours:
{
"tool": "avanan_threats_list",
"parameters": {
"startDate": "2024-02-14T00:00:00Z",
"endDate": "2024-02-15T00:00:00Z",
"severity": "CRITICAL",
"status": "DETECTED",
"limit": 50
}
}
Extract IOCs from a threat:
{
"tool": "avanan_threats_iocs",
"parameters": {
"threatId": "threat-abc123",
"iocTypes": ["urls", "domains", "fileHashes", "ipAddresses"]
}
}
Search for phishing threats targeting a specific user:
{
"tool": "avanan_threats_search",
"parameters": {
"query": "cfo@company.com",
"field": "recipients",
"type": "PHISHING",
"startDate": "2024-02-01T00:00:00Z"
}
}
| Factor | Low | Medium | High | Critical |
|---|---|---|---|---|
| Recipients | 1 user | 2-10 users | 10-50 users | 50+ users or executives |
| Threat Type | SPAM, BULK | DLP, ANOMALY | PHISHING, BEC | MALWARE, RANSOMWARE, ATO |
| Confidence | < 50% | 50-75% | 75-90% | > 90% |
| User Interaction | None | Email opened | Link clicked | Attachment executed |
| Data Exposure | None | Metadata only | Credentials entered | Data exfiltrated |
| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid threat type | Use valid type codes from reference above |
| 400 | Invalid date range | Max 90-day range, startDate before endDate |
| 401 | Unauthorized | Check API credentials and token expiry |
| 403 | Insufficient permissions | API key needs threat detection scope |
| 404 | Threat not found | Verify threat ID exists |
| 429 | Rate limited | Implement exponential backoff |
| Error | Cause | Fix |
|---|---|---|
| Invalid severity filter | Unrecognized severity value | Use CRITICAL, HIGH, MEDIUM, or LOW |
| Too many IOC types | Requested more than supported | Use valid iocTypes: urls, domains, fileHashes, ipAddresses |
| Threat expired | Older than retention period | Data no longer available |