Check Point (Traffic, Email Security, EDR)

Overview - Checkpoint traffic logs

Table name: checkpoint_traffic

Checkpoint traffic logs record data and analysis related to the flow of network traffic through Checkpoint firewall devices. These logs include detailed information on allowed and blocked traffic, tracking source and destination IP addresses, ports used, protocols, action taken by the firewall, and more. They are essential for security analysis, troubleshooting network issues, and ensuring compliance with security policies.

Send data to Hunters

To complete the connection of these logs, you'll need to forward logs from Check Point's Log Exporter to a Syslog server and then ship them to AWS S3.

1. Forward Logs to the Syslog server

Follow Check Point's Log Export documentation to start forwarding logs from the Check Point log servers to your Syslog server. Be sure to ship the logs in the Syslog RFC 5424 format. If you are using Fluentd as your syslog server, set support_colonless_ident to false.

2. Ship the logs from the Syslog server to S3

Configure the Syslog server to ship the logs received to an S3 bucket shared with Hunters. If you're using Fluentd, make sure to send only the actual Syslog payload (the extradata section), by adding this clause to the out_s3 configuration:

<format>
    @type single_value
    message_key extradata
</format>

3. Verify files were written to S3

1. Browse to the S3 bucket to which the Syslog forwarder is set to send data.

2. Download the latest file and open it.

3. Make sure it is formatted as detailed in the Supported log formats section below.

4. Grant Hunters access to the S3 bucket

Complete the process as described in this guide.

Expected format

Hunters expects Check Point log files to be in the Check Point Syslog format, as outputted by the Check Point Log Exporter. The following is an example of a typical log line:

[action:"Accept"; flags:"000000"; ifdir:"inbound"; ifname:"eth3"; logid:"0";
 origin:"192.168.1.1"; user:"John Smith (j.smith) "]

To achieve this result, send the logs as-is without extra wrappers and customizations. If you are using Fluentd as your Syslog server, additional instructions to achieve this can be found here.

Overview - Check Point Email Security

Table name: checkpoint_email_security

Check Point Harmony Email & Collaboration (formerly Avanan) is an API-based email and collaboration security platform that connects directly to Microsoft 365, Google Workspace, and tools like Teams, OneDrive, and SharePoint to stop phishing, BEC, malware, and data loss before messages reach inboxes or files are shared. It analyzes content, links, and behavior using Check Point ThreatCloud intelligence and ML to detect zero-day threats, account takeover, graymail, and shadow IT. Deployment is lightweight (no MX change), policy-driven, and covers inbound, outbound, and internal email plus collaboration flows.

Send data to Hunters

Hunters supports the ingestion of Checkpoint-Email-Security logs using a S3 bucket.

To send data to Hunters:

1. Contact check Point support to learn how to route your Security logs to S3.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Hunters expects Check Point email security logs to be in the JSON format. The following is an example of a typical log line:

{
  "event": {
    "security_event": {
      "entity_info": {
        "entity_sub_type": "graymail",
        "entity_type": "security_event",
        "customer_farm": "mt-prod-***",
        "customer_region": "us-***",
        "customer_cluster": ["*"],
        "customer_oem": "checkpoint",
        "locale": "en-us",
        "entity_reporter": "emails-***",
        "entity_id": "evt-***",
        "customer_domain": "org-***",
        "entity_created": "2025-10-22T14:51:43.752958Z",
        "entity_expiration": 1777560703
      },
      "entity_payload": {
        "event_metadata": {
          "sender_address": "<redacted_sender_email>",
          "ap_detection_reasons": [
            "No prior comms with sender",
            "Low historical reputation",
            "Suspicious-looking link",
            "Suspicious-looking email text"
          ]
        },
        "confidence_level": 0,
        "saas": "office365_emails",
        "description_short": "Graymail detected in '<redacted_subject>' (<redacted_recipient>)",
        "aggregation_id": "agg-***",
        "current_state": "new",
        "matched_security_tool": "avanan_ap_scan",
        "event_trigger": { "type": "Policy", "id": "rule-***" },
        "description_text": "Graymail detected in an email from <redacted_sender_email> - '<redacted_subject>' (<redacted_recipient>'s mailbox)",
        "category": "graymail",
        "confidence_indicator": "graymail",
        "severity": 2
      },
      "saas_info": {
        "entity_type": "office365_emails_email",
        "saas_spam_verdict": "1",
        "account_id": ["acct-***"],
        "saas_actor_payload": {
          "full_name": "<redacted_name>",
          "email": "<redacted_recipient_email>",
          "entity_id": "acct-***",
          "is_external": false
        }
      },
      "security_event_action": [],
      "time": "2025-10-22T14:51:43.752437Z",
      "_id": "doc-***"
    },
    "entity": {
      "entity_info": {
        "customer_domain": "org-***",
        "customer_oem": "Check Point",
        "entity_type": "office365_emails_email",
        "entity_id": "mail-***",
        "entity_reporter": "emails-***",
        "entity_created": "2025-10-22T14:51:39.536937Z"
      },
      "entity_payload": {
        "attachment_count": 0,
        "body_content_type": "HTML",
        "dkim_result": "pass",
        "dmarc_result": "pass",
        "from_domain": "<redacted_domain>",
        "from_email": "<redacted_sender_email>",
        "from_name": "<redacted_display_name>",
        "is_incoming": true,
        "network_message_id": "netmsg-***",
        "orig_recipient": "<redacted_recipient_email>",
        "recipients": ["<redacted_recipient_email>"],
        "sent_datetime": "2025-10-22T14:51:31Z",
        "size": 34568,
        "spf_result": "pass",
        "subject": "<redacted_subject>",
        "to": ["<redacted_recipient_email>"],
        "email_links": [
          "https://<redacted_domain>/.../privacy_statement",
          "https://<redacted_domain>/.../terms",
          "https://<redacted_domain>/survey?...",
          "https://<redacted_domain>/unsubscribe?email=<redacted>&..."
        ],
        "email_links_domains": ["<redacted_domain_1>", "<redacted_domain_2>", "<redacted_domain_3>"]
      },
      "entity_security_result": {
        "ap": [{
          "sec_type": "ap",
          "verdict": "graymail",
          "payload": {
            "reasons_by_category_list": ["Sender Reputation", "Links", "Email Text"],
            "reasons_by_category": {
              "Email Text": [{"short_text": "Suspicious-looking email text"}],
              "Links": [{"short_text": "Suspicious-looking link"}],
              "Sender Reputation": [
                {"short_text": "No prior comms with sender"},
                {"short_text": "Insignificant sender reputation"}
              ]
            }
          }
        }],
        "combined_verdict": { "ap": "graymail", "ms_defender": "clean", "shadow_it": "clean" },
        "ms_defender": [{"sec_type": "ms_defender", "verdict": "clean"}],
        "shadow_it": [{"sec_type": "shadow_it", "verdict": "clean"}]
      },
      "saas_info": {
        "saas_actor_id": "<redacted_recipient_email>",
        "saas_entity_created": "2025-10-22T14:51:33Z",
        "saas_entity_type": "email",
        "saas_id": "office365_emails"
      },
      "time": "2025-10-22T14:51:47.633925Z"
    }
  }
}

Overview - Checkpoint edr logs

Table name: checkpoint_edr

Check Point EDR logs represent the telemetry, security events, and operational activity generated by the Check Point Endpoint Security Client running on Windows, macOS, or Linux hosts. These logs typically include firewall enforcement events (such as inbound/outbound connection drops or allows), anti-malware update and detection telemetry, endpoint posture data (client version, installed blades, OS details), user identity information (username, SID, tenant), and policy metadata (policy name, GUID, rule name, rule ID). In addition to endpoint activity, the logs can also contain management-plane audit events, such as WEB_API logins, administrator actions, and Endpoint Security Console object modifications. Altogether, Check Point EDR logs provide a detailed picture of endpoint protections, network behavior, security policy application, user activity, and administrative operations across the environment.

Send data to Hunters

To complete the connection of these logs, you'll need to forward logs from Check Point's Log Exporter to a Syslog server and then ship them to AWS S3.

You have to create a certificate (self-signed should be fine)

openssl genrsa -out checkpoint.key 2048
openssl req -new -key checkpoint.key -out checkpoint.csr
<fill out certificate>
openssl req -text -noout -verify -in checkpoint.csr
openssl x509 -req -days 365 -in checkpoint.csr -signkey checkpoint.key -out checkpoint.crt
cat checkpoint.crt checkpoint.key > checkpoint.pem
openssl pkcs12 -export \
  -out checkpoint.pfx \
  -inkey checkpoint.key \
  -in checkpoint.crt

Common Name (CN) should be where the logs are sending to the syslog server (in many cases, the Cribl syslog address)

The certificate should have a password.

Endpoint Settings -> Export Events -> Add PW

1. Forward Logs to the Syslog server

Follow Check Point's Log Export documentation to start forwarding logs from the Check Point log servers to your Syslog server. Be sure to ship the logs in the Syslog RFC 5424 format. If you are using Fluentd as your syslog server, set support_colonless_ident to false.

2. Ship the logs from the Syslog server to S3

Configure the Syslog server to ship the logs received to an S3 bucket shared with Hunters. If you're using Fluentd, make sure to send only the actual Syslog payload (the extradata section), by adding this clause to the out_s3 configuration:

<format>
    @type single_value
    message_key extradata
</format>

3. Verify files were written to S3

1. Browse to the S3 bucket to which the Syslog forwarder is set to send data.

2. Download the latest file and open it.

3. Make sure it is formatted as detailed in the Supported log formats section below.

4. Grant Hunters access to the S3 bucket

Complete the process as described in this guide.

Expected format

Hunters expects Check Point log files to be in the Check Point Syslog format 5452, as outputted by the Check Point Log Exporter. The following is an example of a typical log line:

<134>1 2025-11-29T00:00:00Z i-AAAAAAAAAAAAAAA1 CheckPoint 12498 - [flags:"133440"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x692a3781,0x0,0x80164a4,0x186c30d2}"; origin:"1.1.1.1"; originsicname:"cn=cp_mgmt,o=gw-XXXXXX..YYYYYY"; sequencenum:"1"; time:"1764374400"; version:"5"; log_sys_message:"Log file has been switched to: 2025-11-29_000000.log"]
<134>1 2025-11-29T00:00:00Z i-AAAAAAAAAAAAAAA1 CheckPoint 12498 - [flags:"133472"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x692a3782,0x0,0x80164a4,0x186c30d2}"; origin:"1.1.1.1"; originsicname:"cn=cp_mgmt,o=gw-XXXXXX..YYYYYY"; sequencenum:"2"; time:"1764374400"; version:"5"; log_sys_message:"Log file has been switched to: 2025-11-29_000000.adtlog"]
<134>1 2025-11-29T00:00:03Z i-AAAAAAAAAAAAAAA1 CheckPoint 12498 - [action:"Drop"; flags:"131104"; ifdir:"inbound"; loguid:"{0x692a3784,0x0,0x80164a4,0x186c30d2}"; origin:"1.1.1.1"; originsicname:"cn=cp_mgmt,o=gw-XXXXXX..YYYYYY"; sequencenum:"1"; time:"1764374403"; version:"5"; additional_info:"Version: 'XXXX';Policy Name: 'Policy-Redacted'"; administrator:"admin@example.com"; machine:"host1"; objectname:"PolicyObject1"; objecttype:"Endpoint policy object"; operation:"Create Object"; product:"Endpoint Security Console"; subject:"Object Manipulation"; uid:"00000000-0000-0000-0000-000000000000"]

To achieve this result, send the logs as-is without extra wrappers and customizations. If you are using Fluentd as your Syslog server, additional instructions to achieve this can be found here.