Playblocks Highlights: Powerful Automations You Might’ve Missed 

Hey CheckMates!
We’re kicking off a new Playblocks Highlights series. These are short, practical posts that surface useful insights across automations, connectors, and pro tips you can put to work immediately. First up: predefined automations you might not have tried yet.

💡 Playblocks makes automation accessible. No scripts - just ready‑to‑run workflows that strengthen your defenses and save your team time.

De‑isolate a potentially clean Microsoft Defender machine

What it does: Removes isolation from a Defender machine that is now assessed as clean - streamlining recovery and minimizing downtime.
Supported product: Microsoft Defender connector
Trigger: When a potentially clean isolated machine is detected.
Approval step: Runs upon administrator approval to avoid premature de‑isolation

Block malicious file indicator identified by Threat Extraction (Harmony Endpoint)

What it does: Adds malicious file indicators identified by Threat Extraction (Harmony Endpoint) into an IOC feed to update threat intel and block propagation.
Supported products: Harmony Endpoint; Infinity IoC Management (IoC Enforcement connector)
Trigger: Match on malicious file indicator with high confidence.

Note: there are multiple IOC automations available that can expand your feed from different vendors - Quantum, Harmony Endpoint, Microsoft Defender, CrowdStrike, and SentinelOne. 

Block attacking IP with malicious reputation identified by IPS

What it does: Automatically blocks IP addresses flagged as attackers, ensuring immediate protection across your environment.
Supported product: Quantum Enforcement connector
Trigger: Attacking IP identified through security logs.

Bonus: Once connecting Quantum Enforcement connector, this also unlocks the ability to build custom AI‑generated automations that include IP blocking.

Alert on VPN certificate expiration on Quantum Gateway

What it does: Proactively alerts (and can open a ticket) when VPN certificates are about to expire or have expired, so you can renew before downtime.
Supported product: Quantum
Trigger: VPN certificate is expired or within your warning window.
Key parameters:

• Attempt frequency for checking expirations
• Alert when certs are about to expire
• Warning window ("about to expire within")
• Re‑alert interval per gateway
• Open a ticket if certificates are expired
  💡 Pro Tip: Schedule alerts with enough lead time to renew - set ticket creation to auto‑open so no one misses it.

Isolate potentially infected CrowdStrike device (enforced by Endpoint)

What it does: Auto‑isolates CrowdStrike‑flagged devices with high‑severity infections to prevent lateral movement.
Supported product: CrowdStrike connector
Trigger: High‑severity infection (for example malware/virus) detected by CrowdStrike.

Isolate potentially infected SentinelOne device (enforced by Endpoint)

What it does: Isolates SentinelOne‑flagged devices with high‑severity threats to stop spread quickly.
Supported product: SentinelOne connector
Trigger: High‑severity infection detected by SentinelOne

Have in mind some Quantum automation that doesn’t exist today in our out‑of‑the‑box automations?

You can easily make it happen by creating an automation with AI.

If you can think it - you can build it. Simply describe the outcome you want, and AI Copilot will propose a ready‑to‑run flow you can edit and refine.

Try it now

Jump into your tenant and explore these out‑of‑the‑box flows (and build your own):
👉 Start using Automations today

Tell us what to highlight next

This series will keep shining a light on value across Playblocks - more automations, connectors more tips. What would you like to see?
Feedback & requests: PlayBlocks-Feedback@checkpoint.com